risk and management accouting
TRANSCRIPT
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 1/189
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 2/189
Risk and ManagementAccounting: Best PracticeGuidelines for Enterprise-wideInternal Control Procedures
i
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 3/189
ii
This page intentionally left blank
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 4/189
Risk and ManagementAccounting: Best PracticeGuidelines for Enterprise-wide
Internal Control ProceduresPaul M CollierAnthony J BerryGary T Burke
AMSTERDAM ● BOSTON ● HEIDELBERG ● LONDON ● NEW YORK ● OXFORD
PARIS ● SAN DIEGO ● SAN FRANCISCO ● SINGAPORE ● SYDNEY ● TOKYO
CIMA Publishing is an imprint of Elsevier
iii
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 5/189
CIMA Publishing is an imprint of ElsevierLinacre House, Jordan Hill, Oxford OX2 8DP
30 Corporate Drive, Suite 400, Burlington, MA 01803, USA
First edition 2007
Copyright 2007, Elsevier Ltd. All rights reserved
No part of this publication may be reproduced, stored in a retrieval systemor transmitted in any form or by any means electronic, mechanical, photocopying,recording or otherwise without the prior written permission of the publisher
Permissions may be sought directly from Elsevier's Science & Technology RightsDepartment in Oxford, UK: phone (+44) (0) 1865 843830; fax (+44) (0) 1865 853333;
email: [email protected]. Alternatively you can submit your request online byvisiting the Elsevier web site at http://elsevier.com/locate/permissions, and selectingObtaining permission to use Elsevier material
NoticeNo responsibility is assumed by the publisher for any injury and/or damage to personsor property as a matter of products liability, negligence or otherwise, or from any useor operation of any methods, products, instructions or ideas contained in the materialherein.
British Library Cataloguing in Publication Data
A catalogue record for this book is available from the British Library
Library of Congress Cataloguing in Publication DataA catalogue record for this book is available from the Library of Congress
ISBN-13: 978-0-7506-8040-0ISBN-10: 0-7506-8040-7
For information on all Butterworth-Heinemann publicationsvisit our web site at http://books.elsevier.com
Printed and bound in Great Britain
07 08 09 10 10 9 8 7 6 5 4 3 2 1
iv
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 6/189
C on t e n t s
v
Contents
About the authors ix
Acknowledgements xi
List of figures xiii
List of tables xv
Executive summary xvii
Introduction xxvii
1 Governance, risk and control 1Introduction 3
Corporate governance 3Risk 5
Risk management 10
Managers and risk 13
Risk and control 18
The changing role of management accountants 20
Summary 22
2 Exploratory case studies 25
Purpose 27Research design 27
Research findings 28
Risk 28
Budgets 29
Risk construction and domains of risk 30
Process and content of budgets 31
Summary of main case study findings 33
3 Survey research 35Introduction 37
Survey design 37
Risk management practices 37
The role of accountants in risk management 40
The survey instrument 41
Survey analysis 43
Survey results 49
Demographics 49Environmental uncertainty 49
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 7/189
Drivers of risk management 49
Risk propensity 52
Attitudes to risk 54
Risk processes and culture 55
Trends in risk management approach 57
Risk management methods 58Involvement of accountants in risk management 60
Perceived consequences of risk management 62
Modes of risk management 62
Costs and benefits of risk management 65
Risk stance 66
Regression analysis 66
Risk management and financial market risk 69
Summary of main survey findings 71
4 Interview data 75The traditional approach to risk management 77
Explanations for survey results 80
Drivers of risk management 80
Trends in risk management 82
Effectiveness of methods 83
Involvement of management accountants in risk
management 85The effectiveness of risk management 88
The benefits of risk management 89
Embedding risk management in culture 90
Conclusion 93
Summary of main interview findings 94
Note 95
5 Research findings 97
The literature review 99Summary of main case study findings 100
Summary of main survey findings 101
Summary of main interview findings 103
Revised framework for risk management 104
Risk and the social construction of uncertainty 107
The risk of control 108
Limitations of the research 109
C o n t e n t s
vi
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 8/189
C on t e n t s
vii
6 Summary of research and best practiceimplications 111The importance of risk management 113
Research conclusions 116
Summary of research findings and implications
for best practice 118Main survey findings and best practice implications 118
Results of interviews to explore survey findings
and best practice implications 120
Summary of best practice implications 121
Implications for risk managers and management accountants 123
References 125
Appendix 1 Copy of questionnaire 131
Appendix 2 Expanded statistical tables 137
Index 151
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 9/189
viii
This page intentionally left blank
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 10/189
A b o u t t h e A u t h or s
ix
About the Authors
Dr Paul M Collier was senior lecturer in management accounting at Aston
Business School but is now at the Department of Accounting and Finance,
Monash University in Melbourne, Australia. Before becoming an aca-
demic, Paul held a number of senior financial and general managementpositions in Australia and the UK.
Professor Anthony J Berry is Professor in the Business School at
Manchester Metropolitan University. After ten years in the UK and US air-
craft industries he became a faculty member of the Manchester Business
School. He was later Director of the Management Research Institute at
Sheffield Hallam University. His research interests include management
control, risk, consultancy and leadership. He has published extensively in
UK and international journals.
Gary T Burke worked as the Research Assistant on the CIMA-funded risk
management project, while studying for his part-time MBA. He has worked
as a financial analyst for a number of large UK PLCs and has managed the
Management Development Programme at Aston University. He is currently
undertaking an ESRC-sponsored PhD at Aston University exploring public-
private partnerships.
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 11/189
x
This page intentionally left blank
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 12/189
A c k n owl e d g e m e n t s
xi
Acknowledgements
The authors gratefully thank CIMA for providing research funds that
enabled the case studies, survey and analysis described in this report to be
carried out. We are also grateful for the comments of two anonymous
reviewers on an earlier version of this report.
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 13/189
xii
This page intentionally left blank
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 14/189
L i s
t of F i g ur e s
xiii
List of Figures
Figure 1.1 Ideal types applied to risk management stances
(Based on Adams, 1995 and Douglas and Wildavsky, 1983) 18
Figure 3.1 Conjectured relationships in our study 39
Figure 3.2 Framework for risk management practices inorganisations 41
Figure 3.3 Trends in risk management 57
Figure 3.4 Classification of risk management responses
by risk stance 67
Figure 5.1 Revised framework for risk management
practices in organisations 106
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 15/189
xiv
This page intentionally left blank
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 16/189
L i s t of T a b l e s
xv
List of Tables
Table 3.1 Summary of survey responses 43
Table 3.2 Factor analysis 44
Table 3.3 Correlations of grouped responses 46
Table 3.4 Competitive intensity, uncertainty and risk 50Table 3.5 Drivers of risk management 51
Table 3.6 Stakeholder involvement in risk management 52
Table 3.7 Propensity to take risks 53
Table 3.8 Changing propensity to take risks 53
Table 3.9 Personal propensity versus the organisation’s
propensity 53
Table 3.10 Personal perspectives about risk
management (%) 54Table 3.11 Risk management in the organisation (%) 54
Table 3.12 Supporting processes and culture 56
Table 3.13 Categories of risk management methods 59
Table 3.14 Usage rate of risk management methods 59
Table 3.15 Job title primarily accountable for
risk management 61
Table 3.16 Integration of organisational management
accounting and risk management functions 61
Table 3.17 The level of involvement of management
accounting in the organisation’s risk management 62
Table 3.18 Consequences of risk management 63
Table 3.19 Risk management options employed 64
Table 3.20 Perceived effectiveness of risk management
approaches 65
Table 3.21 RM practices have delivered benefits that
exceed the costs of those practices 66
Table 3.22 Improved performance: linear regressionsfor group variables 68
Table 3.23 Risk stance: predictor variables and
adjusted R squared 69
Table 3.24 Mean values of risk measures in relation
to risk stance 70
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 17/189
xvi
This page intentionally left blank
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 18/189
E x e c u t i v
e S umm a r y
xvii
Executive Summary
Introduction
This book presents the findings from two research projects on risk
funded by grants provided by CIMA. The first grant was for a pilot
study comprising four mini-case studies. Our major focus in that
study was on how risk impacted upon budgeting. The second grant
was for a comprehensive survey and analysis of risk management in
organisations and, in particular, how risk management impacted on
both internal controls and on the role of the management account-
ant. Following the statistical analysis of the survey, interviews were
conducted with survey respondents and risk management profes-
sionals in order to help us explain our findings. This report there-fore provides the results of these three phases of our research.
The book contains:
A review of the practitioner and academic literature as it affects
governance, risk management and management accounting.
◆ The four exploratory case studies.
◆ A comprehensive description of the survey design and results.
◆ Excerpts from the interview data in relation to the surveyresults.
◆ A summary of the research findings.
◆ Implications for best practice.
Risk and risk management
Risk has traditionally been defined in terms of the possibility of
danger, loss, injury or other adverse consequences. In accountingand finance, risk is considered in terms of decision trees, probabil-
ity distributions, cost-volume-profit analysis, discounted cash
flow, capital assets pricing models and hedging techniques, etc.
Risk management is the process by which organisations methodi-
cally address the risks attaching to their activities in pursuit of
organisational objectives and across the portfolio of all their activ-
ities. Effective risk management involves risk assessment, risk eval-
uation, risk treatment, and risk reporting. The focus of good risk
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 19/189
management is the identification and treatment of those risks in
accordance with the organisation’s risk appetite. The enterprise
risk management approach is intended to align risk management
with business strategy and embed a risk management culture into
business operations.
The Committee of Sponsoring Organisations of the Treadway
Commission (COSO) (2004) model of internal control comprises
eight components:
1. The internal environment sets the basis for how risk is viewed
and the organisational appetite for risk.
2. Organisational objectives must be consistent with risk appetite.
3. Events affecting achievement of objectives must be identified,
distinguishing between risks and opportunities.
4. Risk assessment involves the analysis of risks into their likeli-
hood and impact in order to determine how they should be
managed.
5. Management then selects risk responses in terms of how risks
may be mitigated, transferred or held.
6. Control activities in the form of policies and procedures ensure
that risk responses are carried out effectively.
7. Information needs to be captured and communicated as the
basis for risk management.8. The enterprise risk management system should be regularly
monitored and evaluated.
(Source: Committee of Sponsoring Organisations of the Treadway
Commission (COSO), 2004) Enterprise Risk Management – Integrated
Framework .
Case study findings: process and content ofbudgeting
The purpose of the exploratory case studies was to understand the
relationship between risk and budgeting. This involved considera-
tion of how risk was enacted in budgeting and how managerial per-
ceptions of risk influenced the process and content of budgets. The
findings from the four case studies reveal differences based on the
contexts of unique circumstances, histories and technologies of the
organisations. The four cases illustrated how the different social
E x e c u t i v e S u m m a r y
xviii
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 20/189
E x e c u t i v
e S umm a r y
xix
constructions of participants in the budgeting process influenced
the domains – or alternative lenses – through which the process
of budgeting took place and how the content of the budget was
determined.
Four domains of risk were observed, reflecting the different social
constructions of participants – financial, operational, political and
personal. The process of budgeting in all four cases was charac-
terised as risk considered, in which a top-down budgeting process
reflected negotiated targets. By contrast, the content of budget doc-
uments was risk excluded, being based on a set of single-point esti-
mates, in which all of the significant risks were excluded from the
budget itself. The separation of budgeting and risk management
has significant consequences for the management of risk as the
process of budgeting needs to be considered separately from thecontent of budget documents.
Objective and subjective risk
Despite the traditional accounting and finance emphasis, many
risks are not objectively identifiable and measurable but are sub-
jective and qualitative. For example, the risks of litigation, eco-
nomic downturns, loss of key employees, natural disasters, andloss of reputation are all subjective judgements. Risk is, therefore,
to a considerable extent, ‘socially constructed’ and responses to
risk reflect that social construction.
There is an important distinction between objective, measurable
risk and subjective, perceived risk. Risk can be thought about by
reference to the existence of internal or external events, informa-
tion about those events (i.e. their visibility), managerial perception
about events and information (i.e. how they are perceived), and
how organisations establish tacit/informal or explicit/formal ways
of dealing with risk.
Adams (1995) has shown that everyone has a propensity to take
risks, but this propensity to take risks varies from person to person,
being influenced by the potential rewards of risk taking and per-
ceptions of risk, which are influenced by experience of ‘accidents’.
Hence, individual risk taking represents a balance between per-
ceptions of risk and the propensity to take risks.
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 21/189
Prior research shows that we know little about how managers con-
sider risks but managers do take risks, based on risk preferences at
individual and organisational levels. Some of these risk prefer-
ences vary with national cultures while others are individual traits.
Risk perception is a cultural process, with each culture each set of
shared values and supporting social institutions being biasedtoward highlighting certain risks and downplaying others. We
found that this socially constructed view of risk was a better reflec-
tion of organisational risk management than rational modelling
approaches typified by textbooks and professional training as it
reflected the subjectivity of risk perceptions and preferences, cul-
tural constraints and individual traits. The four ‘ideal types’ devel-
oped by Adams (1995) and adapted in the full report as risk stance –
risk sceptical (or fatalists), hierarchists, individualists, and risk
aware (or egalitarians) – was helpful in our research in under-
standing individual and organisational risk management practices.
Our survey found that the risk stance of managers did influence the
risk management practices in use.
Risk management survey
Following the case studies, it was decided to undertake a surveyof organisations in the UK to examine risk management practices
and the role of management accountants in risk management. The
relationships we conjectured during our research design are
shown in Figure S.1.
E x e c u t i v e S u m m a r y
xx
Perceived
environmental
uncertainty
Risk stance
Risk factored into
planning
Supporting procedures
Risk management
practices performance
Improved
External regulation
Figure S.1 Conjectured relationships in our study
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 22/189
E x e c u t i v
e S umm a r y
xxi
Subsequently, we conducted a survey of CIMA members, finance
directors of FTSE listed companies and chief executives of SMEs
and analysed 333 usable responses, a response rate of 11 per cent.
We subsequently interviewed a number of respondents to aid our
interpretation of the survey analysis.
Risk management practices
We found that risk management systems appeared to improve the
organisational capacity to process information, both through verti-
cal information systems but also through the role of risk managers,
whose role was a cross-functional one, supporting the distinction
made between event-uncertainty, commonly viewed as risk, and
information-uncertainty (Galbraith, 1977: p.4).
The survey found that the methods for risk management that were
in highest use were the more subjective ones (particularly experi-
ence), with quantitative methods used least of all. These results
suggested a heuristic method of risk management is at work in con-
trast to the systems-based approach that is associated with risk
management in much professional training and in the professional
literature. The survey responses implied that traditional methods
of managing risk through transfer (insurance, hedging, etc.) werestill seen as more effective than more proactive risk management
processes. Risk was seen on an individual level as much about
achieving positive consequences as avoiding negative ones.
However, organisational risk management was reported to be more
about avoiding negative consequences.
In terms of methods of risk management, our interviewees advised
us that ‘keeping things simple’ was best, although more sophisti-
cated techniques were more likely to be used at lower organisa-
tional levels. This was largely because business was so complex
and supposedly ‘objective’ methods may not be as reliable as they
are sometimes perceived to be.
The trends in risk management were reported to have shifted from
being considered tacitly to being considered more formally and the
survey results reflected the respondents’ expectation that this trend
will shift markedly to a more holistic approach with risk manage-
ment being used to aid decision-making. Interviewees provided
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 23/189
examples of the beginning of a shift to a more proactive stance
towards risk management where this was seen to deliver business
benefits. There was a strong emphasis from our interviewees that
this shift was likely to increase with a move away from the ‘tick box’
approach. It was accepted by our interviewees that there was a need
culturally to embed risk into organisations as a taken-for-grantedpractice.
Costs and benefits of risk management
Risk management may be seen largely as a compliance exercise.
However, half of the respondents reported that the benefits
exceeded the costs, with 40 per cent reporting that benefits and
costs were neutral. Although this was a subjective judgement, theVice President of a European federation of risk management asso-
ciations summed up the benefits as:
An organisation that doesn’t issue profit warnings, doesn’t have
major unjustified exceptional costs on its annual accounts
because they thought about things in advance. They have man-
aged acquisitions and mergers proactively to ensure that they
have met their targets and objectives and haven’t impaired the
goodwill or asset values. These are some of the things you mightsee. A profitable and successful company, excellent reputation,
corporate social responsibility – you wouldn’t see them being fin-
gered as people who are exploiting the third world, child labour,
etc. – all those things sort of come out of it. They have got their
supply chain issues sorted out. I guess out in the City, analysts are
comfortable with what they are hearing and probably their esti-
mates are pretty close to what the organisation achieves. Good
credit rating, because they can see that they are good value and
their ratios are all good.
Governance and the drivers of risk management
The Combined Code on Corporate Governance (Financial
Reporting Council, 2003) is an important motivator for risk man-
agement and internal control practices, requiring Boards to main-
tain a sound system of internal control to safeguard shareholders’
investment and the company’s assets. Internal control is the whole
system of internal controls, financial and otherwise, established in
E x e c u t i v e S u m m a r y
xxii
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 24/189
E x e c u t i v
e S umm a r y
xxiii
order to provide reasonable assurance of effective and efficient
operation, internal financial control, and compliance with laws
and regulations. However, as profits are, in part, the reward for suc-
cessful risk taking in business then the purpose of internal control
is to help manage and control risk appropriately rather than to
eliminate it.
Given the significant public visibility of corporate governance
requirements, our survey findings suggested that risk management
may be seen largely as a compliance exercise. Management action
to decrease the likelihood of risk was given the highest ranking by
respondents, rather than action to achieve organisational objec-
tives. Risk still appears to be dominated by downside concerns and
risk transfer through hedging and insurance remains dominant
over proactive risk management practices.
Contrary to expectations that risk management practices vary
between organisations as a result of their size or industry sector,
there was little evidence of any contingent explanations for risk
management based on either size or business sector. Similarly, if
somewhat surprisingly, respondents’ perceptions of the environ-
mental uncertainty and risk facing their organisations did not
appear to influence basic risk management practices in those
organisations.
The survey results suggested that risk management was driven by
an institutional response to calls for improved corporate gover-
nance which may reflect both protection and economic opportu-
nity. The external drivers of risk management practices were
observed to be external stakeholders and the demands of regulators
and legislation, enacted through boards of directors which were
likely to exert influence over the policies and methods adopted for
risk management.
Financial market risk
In relation to financial market risk, the implication of our regres-
sion analysis is that the ‘risk aware’ stance, in attending to both
protection and to opportunity, does create organisations to which
the capital markets award a lower beta, and hence a higher value.
This led us to infer that the requirements of corporate governance
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 25/189
do not necessarily have to work in opposition to economic ratio-
nales of risk as opportunity and adventure. However, given the
small samples, this observation is indicative only and would need
to be replicated on a larger scale.
Framework for risk management
Our survey results, amplified by our interview data, enabled us to
put forward a framework for risk management. This framework
reflects the primary research findings, in particular that:
◆ There are many external drivers to risk management, not only
regulatory, but that these are enacted by or through the board
of directors.◆ Other than organisation size, there appears to be no correlation
between environmental uncertainty or competitive factors and
risk management practices.
◆ Risk propensity was not as important as risk stance.
◆ Risk management practices exist along a continuum of heuris-
tic to systematic but, at corporate level, the heuristic methods
dominate.
◆
Risk management practices are believed by respondents tomove along a life cycle from heuristic to systems dependent to
culturally embedded.
◆ The involvement of accountants in risk management was
marginal.
◆ Risk management was perceived to improve organisational per-
formance and there is indication that a risk aware stance could
be related to a lower capital market risk profile.
The framework, in conjunction with that developed by Solomonet al. (2000) presents a useful model for understanding how risk
management practices are introduced and develop over time.
Risk and management accountants
Management accountants, whose professional training included
the analysis of information and systems, performance and strategic
E x e c u t i v e S u m m a r y
xxiv
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 26/189
E x e c u t i v
e S umm a r y
xxv
management, can have a significant role to play in developing and
implementing risk management and internal control systems
within their organisations (Chartered Institute of Management
Accountants, 2002).
These research results have some significant implications for the
role of accountants. The responses reveal that line managers were
mostly concerned with identifying risk, analysing and reporting on
risk. Finance directors had a major role in analysing and assessing,
and reporting and monitoring risk. Deciding on risk management
action was predominantly the concern of the chief executive and
the board. The finance director was identified with more aspects of
risk management than any other role, suggesting that they probably
have a pivotal role in risk management.
The changing role of management accountants is an important fac-
tor in establishing the context for their role in risk management and
wider views of management control. Perhaps reinforcing tradi-
tional stereotypes, CIMA respondents were more risk-concerned
than the other respondent groups in relation to their organisations,
despite having a lower perception of the competitive intensity and
uncertainty in their industry/sector.
The reliance on formal accounting-based controls was also calledinto question. Importantly, CIMA respondents were less confident
in the formal control systems that existed in their organisations,
suggesting that the professional knowledge of accountants accom-
modates an understanding of the limits of accounting information,
a knowledge not shared by non-accountants.
Further, management accountants in the overwhelming majority of
organisations were being marginalised in relation to risk manage-
ment. While CIMA respondents consider that managementaccountants should have more involvement in risk management,
this was not a view shared by other respondents.
Interviewees saw the skill set of management accountants as not being
appropriate to a wider involvement in risk management, although
their analytic and modelling skills were essential in a supporting role.
The distinction between task-oriented management accountants and
strategic finance directors was reinforced in our interviews.
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 27/189
Best practice implications
Based on our research, our report highlights some fundamental
best practice implications for risk management:
◆ taking a broader opportunistic approach to risk management,
based on a risk/return trade-off, rather than a purely defensiveor protective stance
◆ using appropriate and effective tools, but these tools should be
supplemented by experience, intuition and judgement
◆ a deliberately proactive stance towards risk management, rather
than an excessive reliance on traditional techniques, except to
the extent that these techniques remain useful
◆ emphasising the importance of culturally embedding risk
awareness in organisations◆ training users of financial information in the limitations of that
information.
There are further best practice implications for CIMA and its mem-
bers:
◆ The role of management accountants needs to shift towards a
more strategic and value adding role which, by definition,
includes a consideration of risk, if management accountants are
not to be marginalised in risk management processes.
◆ CIMA members may have to reach finance director positions
before they can contribute more significantly to risk manage-
ment, but clearly they should be educated to be able to fulfil
that function.
E x e c u t i v e S u m m a r y
xxvi
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 28/189
I n t r o d u c t i on
xxvii
Introduction
This book presents the findings from two research projects on risk funded
by grants provided by CIMA. The first grant was for a pilot study compris-
ing four mini-case studies. Our major focus in that study was on how risk
impacted upon budgeting. The second grant was for a comprehensive sur-vey and analysis of risk management in organisations and, in particular,
how risk management impacted on both internal controls and on the role of
the management accountant. Following the statistical analysis of the survey,
interviews were conducted with survey respondents and risk management
professionals in order to help us explain our findings. This book therefore
provides the results of these three phases of our research.
Chapter 1 provides a review of the practitioner and academic literature as
it affects governance, risk management and management accounting. This
chapter contains a summary of the literature on risk as it affects manage-
ment control and the role of the management accountant. First, the major
influence of corporate governance requirements on risk management is
reviewed. Then risk definitions are examined and set in the context of the
practitioner literature on risk management. Second, academic notions of
risk as it affects managers, internal control and the role of the accountant
are examined.
Chapter 2 describes the four exploratory case studies. The purpose of the
exploratory case studies was to understand the relationship between risk
and budgeting. This involved consideration of how risk was enacted in
budgeting and how managerial perceptions of risk influenced the process
and content of budgets. Risk modelled budgeting was conjectured as a
descriptive model of the environment–organisation interface through
input–output modelling which assumes knowledge of the means–ends
transformation process. A budgetary system designed within an implicit
protective boundary where risk is explicitly excluded from the budgetarysystem and is managed in some other domain was proposed as a risk
excluded form of budget. Where organisations give attention to environ-
mental influences, while simultaneously creating a protective boundary,
albeit in different elements of the budgetary system, a risk considered form
of budgeting was conjectured.
Following the case studies, it was decided to undertake a survey of
organisations in the UK to examine risk management practices and the
role of management accountants in risk management. Chapter 3 provides
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 29/189
a comprehensive description of the survey design, the survey instrument,
the method of analysis and the results of that analysis.
To help us to interpret some of the findings in the analysis of our survey
results, we conducted interviews with 14 members of organisations, who
had indicated in their survey questionnaires that they were prepared to be
interviewed. Ten were interviewed face to face and four by telephone. The
interviews were based on semi-structured, open questions in order not to
lead the respondents. Transcripts of the interviews were made for later
analysis. This chapter is based upon excerpts from these interviews, in
order to explore the key issues emerging from the survey. Chapter 4 pro-
vides excerpts from our interview data in relation to our survey results.
The research findings are summarized in Chapter 5 and Chapter 6 contains
implications for best practice.
I n t r o d u c t i o n
xxviii
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 30/189
1Governance, risk andcontrol
1
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 31/189
2
This page intentionally left blank
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 32/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
3
Introduction
This chapter contains a summary of the literature on risk as it
affects management control and the role of the management
accountant. First, the major influence of corporate governance
requirements on risk management is reviewed. Then risk defini-
tions are examined and set in the context of the practitioner litera-
ture on risk management. Second, academic notions of risk as it
affects managers, internal control and the role of the accountant are
examined.
Corporate governance
Corporate governance is the system by which companies aredirected and controlled. Boards of directors are responsible for the
governance of their companies. The shareholders’ role in gover-
nance is to appoint the directors and the auditors and to satisfy
themselves that an appropriate governance structure is in place.
The responsibilities of the board include setting the company’s
strategic aims, providing the leadership to put them into effect,
supervising the management of the business and reporting to
shareholders on their stewardship. The board’s actions are subject
to laws, regulations and the shareholders in general meeting (CIMA
Official Terminology ).
Even before the spate of corporate governance reports, culminating
in the Combined Code on Corporate Governance (Financial
Reporting Council, 2003), a growing number of institutional
investors were starting to encourage greater disclosure of gover-
nance processes and emphasising the quality and sustainability of
earnings, rather than short-term profits alone. For example, a sur-
vey published by KPMG in 2002 (KPMG, 2003) reported that 80 per
cent of fund managers would pay more for the shares of a demon-
strably well-governed company, with the average premium being
11 per cent. Research by management consultants McKinsey
(McKinsey & Co, 2006) has also shown that an overwhelming
majority of institutional investors are prepared to pay a significant
premium for companies exhibiting high standards of corporate
governance.
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 33/189
The media have also increased their reporting of governance
practices. The high-profile failures of companies, notably the press
coverage given to Enron and WorldCom, brought corporate gover-
nance to worldwide attention. The September 11 (2001) attacks in
the USA also resulted in an increase in attention to risk.
This increased attention to corporate governance has been a global
one. Policy concern with corporate governance has been driven in
recent years by a series of corporate scandals and failures in a num-
ber of countries, not just due to cyclical events but also to systemic
weaknesses. Major corporate collapses have been a feature of recent
business history in the UK and elsewhere. Among these have been:
◆ In the UK, high-profile failures have occurred in the Maxwell
publishing group, Bank of Commerce & Credit International
(BCCI), Asil Nadir’s Polly Peck, and Marconi.
◆ In Italy, there has been Pasminco, and in Australia the insurer
HIH, Ansett Airlines, and OneTel.
◆ Most high profile has been the corporate collapses in the USA:
Enron, WorldCom, and Tyco.
Corporate governance considerations emerged in the USA in the
Treadway Commission’s Report on Fraudulent Financial Reporting
in 1987 (Treadway Commission, 1987), which was later reinforced by the Securities and Exchange Commission in its listing require-
ments. A subgroup of the Treadway Commission, the Committee of
Sponsoring Organisations (COSO) developed Internal Control –
Integrated Framework in 1992 (Committee of Sponsoring
Organisations of the Treadway Commission, 1992) and, in 2003, a
report was published on Enterprise Risk Management (Committee
of Sponsoring Organisations of the Treadway Commission, 2003)
which was updated in 2004 (Committee of Sponsoring
Organisations of the Treadway Commission, 2004).
The introduction of the US Sarbanes-Oxley Act in 2002 was the leg-
islative response in the USA to the financial and accounting scan-
dals of Enron and WorldCom and the misconduct at the accounting
firm Arthur Andersen. Its main aim was to deal with core issues of
transparency, integrity and oversight of financial markets.
The emergence of corporate governance as a problem can be traced to
enforcement exercises in relation to past misdeeds, changing financial
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
4
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 34/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
5
markets, including the rapid rise of institutional investors and their
increasing desire to be more active investors, and the increasing
dependence of an ageing population on pensions and savings which
have been affected by declining confidence in stock markets.
In the UK, a series of reports has had a marked influence on the
development of corporate governance. The first report, by Sir Adrian
Cadbury, followed corporate failures in Polly Peck, BCCI and pension
funds in the Maxwell Group. The Cadbury Report (Cadbury Code,
1992) was in relation to Financial Aspects of Corporate Governance.
The Greenbury report on directors’ remuneration was published in
1995 (Greenbury, 1995). The Hampel report, published in 1998
(Committee on Corporate Governance, 1988), reviewed the imple-
mentation of the Cadbury Code. The Corporate Governance
Combined Code, published in 1998 (Financial Reporting Council,2003), incorporated the recommendations of the Cadbury, Greenbury
and Hampel Committees. This was superseded by the Combined
Code on Corporate Governance (Financial Reporting Council, 2003)
which incorporated the Turnbull Guidance on internal control
(Institute of Chartered Accountants in England & Wales, 1999), the
Higgs report on the role of non-executive directors and the Smith
report on the role of audit committees, both published in 2003 (Higgs,
2003; Smith, 2003).In 2003, the publication by CIMA (2003) of Enterprise Governance:
Getting the Balance Right , emphasised the importance of a dual con-
cern with conformance and performance. Conformance was related
to issues of accountability and assurance, driven by corporate gov-
ernance requirements. Performance was concerned with resource
utilisation and value creation. CIMA’s enterprise governance frame-
work argued the need to balance conformance requirements with the
need to deliver long-term performance to achieve strategic success.
Risk
Risk is typically defined in terms of the possibility of danger, loss,
injury or other adverse consequences. The distinction between risk
and uncertainty is typically made in accounting and finance texts
and dates back to Knight’s classic work Risk, uncertainty and
profit , published in 1921 (Knight, 1921). According to Knight, risk
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 35/189
was a state of not knowing what future events will happen, but
having the ability to estimate the odds, while uncertainty was a
state of not knowing the odds. While the first was calculable, the
second was not and any estimates were subjective. The Risk
Management Standard (Institute of Risk Management, 2002)
defined risk as the combination of the probability of an event andits consequences, with risk management being concerned with
both positive and negative aspects of risk.
The discipline of risk management has emerged, initially from
insurance, but subsequently from many fields including health and
safety, environmental pollution, crisis management, business
continuity, project risk, and reputation risk. Professional bodies,
consulting firms and academics have produced many hundreds of
publications on risk management during the last decade.
The accounting literature, as it is reflected in textbooks, has
addressed risk from a narrow perspective. Accounting texts, so far
as they discuss risk, do so in terms of decision trees, probability
distributions, cost-volume-profit analysis, discounted cash flow
etc. Finance texts are typically concerned with portfolios, capital
assets pricing models and hedging techniques to reduce the risks of
currency and interest rate exposure. However, there are three
limitations in these narrow perspectives:
◆ the usefulness (or value) of quantification techniques for meas-
uring risk probabilistically was recognised in the 1930s as being
questionable (McGoun, 1995), although this has been forgotten
◆ there has been a reduction of human agency to irrelevance
◆ risk has traditionally been viewed as negative, despite the well
accepted idea of a risk/return trade-off.
The International Federation of Accountants (IFAC, 1999) pub-lished an important study on Enhancing Shareholder Wealth by
Better Managing Business Risk . The IFAC report defined risks as
uncertain future events that could influence the achievement of the
organisation’s strategic, operational and financial objectives. The
IFAC report shifted the focus of risk from a negative concept of haz-
ard to a positive interpretation that managing risk is an integral
part of generating sustainable shareholder value. The report argued
that business risk management establishes, calibrates and realigns
the relationship between risk, growth and return.
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
6
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 36/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
7
Similarly, the Turnbull Report (Institute of Chartered Accountants
in England & Wales, 1999), now part of the Combined Code on
Corporate Governance, defined risk as any event that might affect
a listed company’s performance, including environmental, ethical
and social risks.
Risks can be classified in a number of ways. One common distinc-
tion is:
◆ Business or operational risk: relating to the activities carried out
within an organisation
◆ Financial risk: relating to the financial operation of a business
◆ Environmental risk: relating to changes in the political, eco-
nomic, social and financial environment
◆ Reputation risk: caused by failing to address some other risk.
The Institute of Risk Management (2002) Risk Management
Standard categorised risk in terms of financial, strategic, opera-
tional and hazard. Some of these risks are driven by external
factors (competition, interest rates, regulations, natural events) and
some are driven by internal factors (research and development,
cash flow, information systems, etc.). Some risks have both exter-
nal and internal drivers (e.g. employees, supply chains, products
and services, and merger and acquisitions).
Building on these distinctions, risk can be thought about by
reference to:
◆ the existence of internal or external events
◆ information about those events (i.e. their visibility)
◆ managerial perception about events and information (i.e. how
they are perceived)
◆ how organisations establish tacit/informal or explicit/formal
ways of dealing with risk.
Clearly, risk can be understood in two basic ways – as potential loss
or potential gain. Risk as loss is what managers most often mean
when they talk about risk, referring mainly to events with negative
consequences. Managing risk in this context means seeking to
reduce the probability of the negative event (the downside) with-
out undue cost. Risk as hazard is typically a concern of those
responsible for conformance: financial controllers, internal audi-
tors and insurance specialists. Managing risk in this context means
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 37/189
reducing the variance between anticipated and actual outcomes. In
conditions of uncertainty, chief financial officers and line man-
agers responsible for operations are unable to assess the potential
loss or the consequences of their actions.
Risk as opportunity for potential gain accepts that there is a
relationship between risk and return. Managing risk in this context
means using techniques to maximise the gain while minimising
the downside. Shareholders expect boards to achieve a higher
return than is possible from risk-free investments such as govern-
ment securities, and expect boards to be entrepreneurial in taking
risks within the accepted risk profile of the organisation.
There is a natural progression in managing risk:
◆ from managing the risk associated with compliance and pre-vention (the downside)
◆ through managing to minimise the risks of uncertainty in
respect of operating performance
◆ to moving to the higher level of managing opportunity risks (the
upside) which need to be taken in order to increase and sustain
shareholder value.
Organising for uncertainty
The distinction between risk and uncertainty made by Knight to
some extent is reflected in the later work of Galbraith who differen-
tiated event uncertainty, commonly viewed as risk, from information
uncertainty. The distinction is important, not least because an organ-
isation has little or no control over external events (merely its
response to those events). Galbraith defined information uncertainty
as the difference between the amount of information required to per-
form a task and the amount of information already possessed by the
organisation. Uncertainty limits the ability of the organisation to
make decisions in advance. Galbraith (1977: p.4) argued that:
the greater the uncertainty of the task, the greater the amount of
information that has to be processed between decision makers
during its execution.
Galbraith (1974) observed that as task uncertainty increases, the
number of exceptions to expectations increases until the hierarchy
becomes overloaded. He argued that the success of goal setting,
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
8
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 38/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
9
hierarchy and rules depended upon the combination of the fre-
quency of exceptions and the capacity of the hierarchy to handle
those exceptions. As uncertainty increased, Galbraith proposed
four organisational design strategies:
1. The creation of slack resources minimises exceptions by relax-
ing budget targets, creating longer delivery lead times and
‘buffer’ inventories.
2. The creation of self-contained tasks can change the division of
labour by allocating resources to an output-focused product
group structure instead of a skills-based functional structure.
The creation of slack resources and self-contained tasks were
strategies that reduced the need for information processing
because of lower performance standards, because fewer excep-
tions were likely to occur and fewer factors would impact on theinterdependence between business units.
3. Investing in vertical information systems permits the processing
of information as a result of task performance, without over-
loading the managerial hierarchy. Galbraith argued that unan-
ticipated events created exceptions that incrementally updated
the plan, but which, in sufficient quantity, lead to a new plan.
This was the path chosen by most risk management advisors
and reports.4. Creating lateral relations might shift decision-making to the
location of information, without creating self-contained groups.
These relations could be achieved through direct contact
between managers, through liaison roles, task forces, teams, and
integrating roles. Investing in vertical information systems or
creating lateral relations were strategies that increased the
organisational capacity to process information.
The effect of a combination of these four design strategies (the cre-ation of slack resources, self-contained tasks, vertical information
systems and lateral relations) is to reduce the number of exceptions
referred upward in the organisational hierarchy. If one of these
design strategies is not chosen, Galbraith argued that performance
standards will automatically fall.
Galbraith’s ideas are relevant to an understanding of managing risk
through control procedures and will provide a point of reference
later in this report.
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 39/189
Risk management
Risk management has been defined as the process of understand-
ing and managing the risks that the organisation is inevitably
subject to in attempting to achieve its corporate objectives (CIMA
Official Terminology ).
The Institute of Risk Management provided a more detailed defini-
tion of risk management as:
the process by which organisations methodically address the
risks attaching to their activities with the goal of achieving sus-
tained benefit within each activity and across the portfolio of all
activities.
The focus of good risk management is the identification and treat-
ment of these risks. Its objective is to add maximum sustainable
value to all the activities of the organisation. It marshalls the
understanding of the potential upside and downside of all those
factors which could affect the organisation. It increases the proba-
bility of success, and reduces both the probability of failure and the
uncertainty of achieving the organisation’s overall objectives.
The Institute of Risk Management (2002) developed a Risk
Management Standard, which contains several elements:
◆ risk assessment
◆ risk evaluation
◆ risk treatment
◆ risk reporting.
Risk assessment comprises the analysis and evaluation of risk
through processes of identification, description and estimation.
The purpose of risk assessment is to undertake risk evaluation.
Risk evaluation is used to make decisions about the significance of risks to the organisation and whether each specific risk should be
accepted or treated. Examples of identifying risk are shown in Box
1.1. Various methods may be used to assess the severity of each risk
once they are identified, as Box 1.2 shows.
Although many of these methods provide a formal structure for
estimating risk, they assume simple linear cause – effect relation-
ships rather than holistic or whole system relationships. On the
other hand, many methods are subjective and rely on individual
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
10
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 40/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
11
Box 1.1 Methods of identifying risk
◆ Brainstorming
◆ Workshops
◆ Stakeholder consultations
◆ Benchmarking◆ Checklists
◆ Scenario analysis
◆ Incident investigation
◆ Auditing and inspection
◆ Hazard and operability studies (HAZOP)
◆ Fish bone: breaking down a business process into its
component parts to examine all the risks to that process
◆ Questionnaires/surveys
◆ Interviews
Box 1.2 Methods to assess the severity of risks
◆ Information gathering (e.g. market survey, research and
development)
◆ Scenario planning
◆ Soft systems analysis
◆ Computer simulations, e.g. Monte Carlo
◆ Decision trees
◆ Root cause analysis
◆ Fault tree/event tree analysis
◆ Dependency modelling
◆ Failure mode and effect analysis (FMEA)
◆ Human reliability analysis
◆ Sensitivity analysis
◆ Cost-benefit and risk-benefit analysis◆ Real option modelling
◆ Software packages
◆ Delphi method
◆ Risk map
◆ SWOT or PEST analysis
◆ Hazard and operability studies (HAZOP)
◆ Statistical inference
◆ Measures of central tendency and dispersion
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 41/189
perceptions of risk (e.g. soft systems analysis, brainstorming, cost-
benefit and risk-benefit analysis, Delphi, etc.). Others combine
both, with subjective judgements reflected in probabilities (e.g.
Monte Carlo simulations, sensitivity analysis).
A common way of mapping and assessing the significance of risks
is through the likelihood/impact matrix. The likelihood of occur-
rence may be high, medium or low. Similarly, impact or conse-
quences in terms of downside risk (threats) or upside risk (missed
opportunities) may be high, medium or low. For many organiza-
tions, a 3ϫ 3 matrix of high/medium/low will suit their needs,
while for others a 5 ϫ 5 (or even 7 ϫ 7) matrix may be used. By
considering the likelihood and consequences of each of the risks, it
should be possible for organisations to map their risk exposure and
then consider how to evaluate those risks.
Risk evaluation is concerned with making decisions about the sig-
nificance of risks faced by the organisation, whether those risks
should be accepted or whether there should be an appropriate
treatment or response. This involves comparing the risks faced by
an organisation against its desired risk profile (or risk appetite).
Risk appetite is the amount of risk an organisation is willing to
accept in pursuit of value and may be expressed as an acceptable balance between growth, risk and return. Risk appetite may be
made explicit in organisational strategies, policies and procedures
or it may be implicit, needing to be derived from an analysis of past
organisational decisions and actions.
Risk treatment (or risk response) is the process of selecting and
implementing measures to modify the risk. This may include risk
control/mitigation, risk avoidance, risk transfer, risk financing (e.g.
insurance), etc. In establishing a portfolio view of risk responses,management will recognise the diversity of responses and the effect
on the organisation’s risk tolerance. The basic principle of portfolio
theory is that it is less risky to have diverse sources of income
through a portfolio of assets or investments. Spreading investments
reduces risk, but may also reduce the probability of higher gains.
Risk reporting is concerned with regular reports to the board and to
stakeholders setting out the organisation’s policies in relation to risk
and enabling the monitoring of the effectiveness of those policies.
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
12
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 42/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
13
The Committee of Sponsoring Organisations of the Treadway
Commission (COSO, 2003) published Enterprise Risk Management
Framework . This was updated as an Integrated Framework in 2004
(Committee of Sponsoring Organisations of the Treadway
Commission (COSO), 2004). COSO defined enterprise risk man-
agement as:
a process, effected by an entity’s board of directors, management
and other personnel, applied in strategy setting and across the enter-
prise, designed to identify potential events that may affect the
entity, and manage risks to be within its risk appetite, to provide rea-
sonable assurance regarding the achievement of entity objectives.
This approach to enterprise risk management was intended to align
risk management with business strategy and embed a risk manage-
ment culture into business operations. It encompassed the whole
organisation and saw risks as opportunities to be grasped as much as
hazards to be avoided. It is generally agreed among professional risk
managers that the future management of risk will involve fostering a
change in the risk culture of the organisation towards one where risks
are considered as a normal part of the management process.
Risk culture may be regarded as the set of shared attitudes, values
and practices that characterize how an entity considers risk in its
day-to-day activities. This may be determined in part from the
organisational vision and/or mission statement and strategy docu-
ments. However, it will be most clearly seen through organisational
practices, notably rewards or sanctions for risk-taking or risk-
avoiding behaviour. Both risk appetite and risk culture lead us to a
consideration of the role of managers in relation to risk.
Managers and riskTogether with approaches that emphasise calculation, that is prob-
ability, sensitivity, hedging, insurance (itself based on probabili-
ties), discount rates, etc., the assumption in much of the literature
has been that risks can be assessed, measured and managed via
feedback- and feed forward-type loops. However, many risks are
not objectively identifiable and measurable but are subjective and
qualitative. For example, the risks of litigation, economic
downturns, loss of key employees, natural disasters, and loss of
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 43/189
reputation are all subjective judgements. Risk is, therefore, to a
considerable extent, ‘socially constructed’ and responses to risk
reflect that social construction.
The view of risk as a systematic, rational device with tools and tech-
niques to manage risk has been challenged (Beck, 1986/1992 in trans-
lation) with a wider view than the individual or the organisation.Beck’s claim that we live in a ‘risk society’ was made from the stance
that much risk was both part of the physical environment and also
substantially created by the actions of companies, farmers and other
actors. Further, the conceptions we have of risk are socially con-
structed. For something to be socially constructed is for meanings to
be created and reinterpreted through social interaction, not just as a
consequence of individual attitudes. Douglas and Wildavsky (1983)
identified the perception of risk as a social process, with some risks being highlighted while others were downplayed.
Under an interpretive or social construction perspective, risk can
be thought about by reference to:
◆ the existence of internal or external events
◆ information about those events (i.e. their visibility)
◆ managerial perception about events and information (i.e. how
they are perceived)
◆ how organisations establish tacit/informal or explicit/formalways of dealing with risk.
It has been argued (Bettis and Thomas, 1990) that researchers had
very little knowledge about how managers in organisations per-
ceived and took risks, or of the commonalities or differences
between individual risk taking and risk taking by managers in the
organisational context. Since then, in the last decade, there has
been a myriad of publications on risk management by professional
bodies and consulting firms and published research on various
aspects of risk management, including technology (Shrivastava,
1993; Bussen and Myers, 1997; Kumar, 2002), outsourcing
(Bhattacharya et al., 2003), reputation (Davies, 2002a), project
management (Jiang and Klein, 1999; Miller and Lessard, 2001),
and crisis (Davies, 2002b).
March and Shapira (1987) suggested that managers were insensitive
to probabilities but were focused on performance in relation to crit-
ical performance targets. These authors identified three motivations
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
14
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 44/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
15
for risk taking by managers. Managers saw risk taking as essential to
success in decision-making; managers associated risk taking with
the expectations of their jobs rather than with any personal prefer-
ence for risk; and managers recognised the ‘emotional pleasures and
pains’ of risk taking. As a result of their research, March and Shapira
noted that both individual and institutionalised (i.e. taken forgranted within the organisation) risk preferences were important in
understanding organisational responses to risk management.
Adams (1995) developed the notion of the ‘risk thermostat’ to illus-
trate how everyone has a propensity to take risks, but the propen-
sity to take risks varies from person to person. The propensity to
take risks is influenced by the potential rewards of risk taking and
perceptions of risk are also influenced by experience of ‘accidents’
that cause losses. Hence, according to Adams, individual risk tak-ing represents a balance between perceptions of risk and the
propensity to take risks with accident and losses as one conse-
quence of taking risks. The risk thermostat has cultural filters
through which risk/reward trade-offs and perceptions of
danger/accidents are balanced.
Some of these perceptions may be based on national cultures, while
others are organisational and/or individual. Uncertainty avoidance
was one of the dimensions in the study on national cultural differ-ences among IBM employees carried out by Hofstede (1980). The
characteristic of uncertainty avoidance indicated the extent to which
members of a society felt threatened by uncertainty and ambiguity.
This was associated with seeing uncertainty as a threat, but com-
pensated for by hard work, written rules and a belief in experts. In a
comparative study of four cultures (American, German, Polish, and
Chinese), Weber and Hsee (1998) found that the majority of respon-
dents in all four cultures were perceived to be risk averse. These
authors proposed a ‘cushion hypothesis’ because, in some countries
(notably Chinese), collectivism cushions members against the
consequences of negative outcomes. This in turn affects the subjec-
tive perceptions of the riskiness of options.
At the organisational level, Douglas and Wildavsky (1983)
explained risk perception as a cultural process, commenting that
each culture, each set of shared values and supporting social insti-
tutions, was biased toward highlighting certain risks and down-
playing others. Adams (1995) also adopted a ‘cultural theory’
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 45/189
perspective and differentiated the formal sector of risk manage-
ment, with its concern with risk reduction, from the informal sec-
tor of individuals seeking to balance risks with rewards. Adams,
like others, also contrasted the distinction between objective,
measurable risk and subjective, perceived risk.
Weber and Milliman (1997) described risk preference as a personal
trait on a continuum from risk avoiding to risk taking, with risk fac-
tors being based on the magnitude of potential losses and their
chances of occurring. They found that risk preference may be a sta-
ble personality trait, but the effect of situational variables on choice
may be the result of changes in risk perception. These situational
variables may exist at both national and organisational levels.
A survey of managers and accountants by Helliar et al. (2002) tooka psychological approach to risk and found that loss aversion was
dominant in decision-makers’ minds. Probabilistic measures were
not used as managers preferred to rely on instinct and experience
which was then tested against corporate procedures to minimise
risk. Helliar et al. (2001) found that, in some circumstances, man-
agers were unable to distinguish between the risks that they were
taking in their personal capacity and the risks they were taking on
behalf of organisations. The managers in failing firms often focused
on only one or two issues and were sometimes unable to separate
their personal risks from business risks. They were willing to take
gambles that might save their business from insolvency although,
when threatened, their risk attitudes became more risk averse.
Managers in turnaround activities were willing to ask for help
sooner and recognized the need for action, demonstrating a more
secure personal position.
Harris (1999, 2000) also drew on psychological theories in devel-oping a project risk assessment framework to study risk assessment
in capital investment decision-making, in which managers used a
range of analytical tools to assess the likely risks and returns.
Managers also drew upon their intuition and influenced others
involved in the decision process. This suggested a link between
human capabilities and procedures.
In their study of risk in budgeting, Collier and Berry (2002) argued
that by excluding some risks and considering others, the process of
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
16
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 46/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
17
constructing a budget was seen to be different to, and needed to be
interpreted separately from, the content of the budget document in
which there was little evidence of risk modelling or the use of
probabilities.
Following Douglas and Wildavsky, Adams identified four distinc-
tive world views that have important implications for risk. Adams’
‘four rationalities’ were: fatalists, hierarchists, individualists, and
egalitarians.
◆ Fatalists have minimal control over their own lives and belong
to no groups that are responsible for the decisions that rule their
lives. They are resigned to their fate and see no point in trying
to change it. Managing risks is irrelevant to fatalists.
◆ Hierarchists inhabit a world with strong group boundaries with
social relationships being hierarchical. Hierarchists are always
evident in large organisations with strong structures, proce-
dures and systems. Hierarchists are most comfortable with a
bureaucratic risk management style using various risk manage-
ment techniques.
◆ Individualists are enterprising, self-made people, relatively free
from control by others, but who strive to exert control over their
environment. Entrepreneurs in small-medium enterprises fit
into this category. Risk management to individualists is typi-cally intuitive rather than systematic.
◆ Egalitarians have strong group loyalties but little respect for
externally imposed rules and group decisions are arrived at
democratically. Egalitarians are more commonly found in pub-
lic sector and not-for-profit organisations whose values are ori-
ented to social concerns. Egalitarians are most comfortable in
situations of risk sharing through insurance, hedging or transfer
to other organisations.
Figure 1.1 represents an adaptation from these four ideal types –
which, in this research, was deemed an organisational risk
stance – based on perspectives as to whether risk management is
largely about avoiding negative consequences or achieving posi-
tive consequences.
The term ‘egalitarian’ has been replaced by the term ‘Risk aware’ to
describe organisations that might be high on both aspects of risk
management approach and which also attempt to build a culture of
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 47/189
risk management into their operations. By contrast, the term ‘fatal-
ist’ has been replaced by ‘Risk sceptical’ to reflect those organisa-
tions that do not believe that risk management is at all important.
Managerial perceptions of risk lie at the heart of our study and the
notions of the risk thermostat and the four rationalities of Adams(1995) will be revisited later in this book.
Risk and control
Internal control is the whole system of internal controls, financial
and otherwise, established in order to provide reasonable assur-
ance of effective and efficient operation, internal financial
control, and compliance with laws and regulations (CIMA officialterminology).
Like the report by International Federation of Accountants (1999),
the guidance in the Turnbull Report (Institute of Chartered
Accountants in England & Wales, 1999) emphasised that as profits
are, in part, the reward for successful risk taking in business, the
purpose of internal control is to help manage and control risk
appropriately rather than to eliminate it. The Combined Code on
Corporate Governance (Financial Reporting Council, 2003) encom-
passed the Turnbull Guidance, which provided that boards should
maintain a sound system of internal control to safeguard share-
holders’ investment and the company’s assets.
The Turnbull Guidance was based on the adoption by a company’s
board of a risk-based approach to establishing a sound system of
internal control and reviewing its effectiveness (para. 9). Code
C.2.1 of the Combined Code relates to internal control and provides
that boards should conduct, at least annually, a review of the
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
18
Risk management is about
avoiding negative consequences
Low High
Low Risk sceptical Hierarchists
Risk management is about
achieving positive consequences
High Entrepreneurs Risk aware
Figure 1.1 Ideal types applied to risk management stances. (Based on Adams, 1995 and
Douglas and Wildavsky, 1983)
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 48/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
19
effectiveness of the group’s system of internal controls and should
report to shareholders that they have done so. This review should
cover all material controls, including financial, operational and
compliance controls and risk management systems.
In its Enterprise Risk Management – Integrated Framework , Comm-
ittee of Sponsoring Organisations of the Treadway Commission
(COSO) (COSO, 2004) developed a model of internal control con-
taining eight components: internal environment; objective setting;
event identification; risk assessment; risk response; control activi-
ties; information and communication; and monitoring.
1. The internal environment sets the basis for how risk is viewed
and the organisational appetite for risk.
2. Organisational objectives must be consistent with risk appetite.
3. Events affecting achievement of objectives must be identified,
distinguishing between risks and opportunities.
4. Risk assessment involves the analysis of risks into their likeli-
hood and impact in order to determine how they should be
managed.
5. Management then selects risk responses in terms of how risks
may be mitigated, transferred or held.
6. Control activities in the form of policies and procedures ensure
that risk responses are carried out effectively.7. Information needs to be captured and communicated as the
basis for risk management.
8. The enterprise risk management system should be regularly
monitored and evaluated.
There has been an implicit assumption in much research that man-
agement control systems play an important part in risk management.
However, Marshall et al. (1996: p.90) argued that an emphasis on
internal control systems was insufficient because while informationcan be provided, decision-makers need knowledge to interpret that
information, and an excess of controls can produce:
an illusion of control; hiding the very real risks that lie in those
areas where much that was not quantifiable or constant must be
factored into a decision.
Berry et al. (2005) argued that the risk of control could be identi-
fied in a turbulent environment, where organisational participants
may have less room to manoeuvre if they are prescriptive, leading
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 49/189
to insufficient flexibility to cope with the unexpected. The exis-
tence of controls may themselves lead managers to believe that
risks are well controlled and unforeseen circumstances may arise,
or opportunities missed, because of an over-reliance on controls.
Spira and Page (2003) argued that the corporate governance frame-
work was designed to manage risk through the accountability
mechanisms of financial reporting, audit and internal control, in
which internal auditors aspire to the reframing of their role in
terms of risk management. Developments in corporate governance
reporting offer opportunities for the appropriation of risk and its
management by groups wishing to advance their own interests by
asserting their own conceptions of risk and how it should be man-
aged in an environment in which the failure to achieve corporate
objectives provides a natural focus for risk management.
The changing role of management accountants
Management accounting is the application of the principles of
accounting and financial management to create, protect, preserve
and increase value so as to deliver that value to the stakeholders
(CIMA Official Terminology ).
Management accounting is concerned with information used in:
◆ Formulating business strategy
◆ Planning and controlling activities
◆ Decision-making
◆ Efficient resource usage
◆ Performance improvement and value enhancement
◆ Safeguarding tangible and intangible assets
◆ Corporate governance and internal control.
Consequently, either explicitly or implicitly, management account-
ants are involved in internal control mechanisms.
A study of changing management accounting practice on The
Future Direction of UK Management Accounting Practice identi-
fied a change in the way management accounting was being used
in organisations, from a traditional monitoring and control per-
spective to a more business and support-oriented perspective
(Scapens et al., 2003). This research identified how many routine
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
20
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 50/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
21
management accounting tasks either were being done by computer
systems or by small, specialist groups. These authors argued that
the challenge for the management accounting profession was to
ensure that their members have the knowledge, skills and capabil-
ities to take advantage of the opportunities that are undoubtedly
there. The impact on management accountants identified by theScapens et al. research study included:
◆ Database technologies which have facilitated the storage of vast
quantities of information that is easily accessible and
analysable. Transaction processing and routine management
information was now computerised in most organisations.
◆ Decentring of accounting knowledge to non-financial managers
who need to be aware of the financial consequences of their
decisions. Cost management was increasingly seen as a man-agement rather than an accounting task.
◆ Budgets were increasingly being used as flexible rather than
static plans, being updated with rolling forecasts by managers
for performance monitoring purposes.
These factors have led to a shift in the ‘ownership’ of accounting
reports, from accountants to business managers.
Scapens et al. argued that a key role for management accountants inthe twenty-first century was integrating different sources of informa-
tion and explaining the interconnections between non-financial per-
formance measures and management accounting information. This
would enable individual managers to see the linkages between their
day-to-day operations, how these operations are presented in the
monthly management accounts, and how they link to the broader
strategic concerns of the business as reflected in the non-financial
measures. Although Scapens et al. did not address the management
accountant’s role in risk management, each of the above roles implic-
itly involves accountants to a greater or lesser extent in identifying
and managing risk. In an earlier study, Parker (2001) specifically
noted the emerging role of accountants in risk management.
The Chartered Institute of Management Accountants (1999) report
on Corporate Governance: History, Practice and Future viewed the
role of management accountants in corporate governance as pro-
viding information to the chief executive and the board which
allows their responsibilities to be effectively discharged.
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 51/189
CIMA’s Fraud and Risk Management Working Group produced a
guide to good practice in risk management (Chartered Institute of
Management Accountants, 2002). The report argued that manage-
ment accountants, whose professional training included the analy-
sis of information and systems, performance and strategic
management, can have a significant role to play in developing andimplementing risk management and internal control systems
within their organisations.
Summary
This chapter has given a brief overview of the practitioner litera-
ture on corporate governance, risk and risk management and an
overview of the academic literature in relation to managers, risk,and control. It was complemented by some consideration of the
changing requirements of management accountants.
Risk management is the process by which organisations methodi-
cally address the risks attaching to their activities with the goal of
achieving sustained benefit within each activity in pursuit of
organisational objectives and across the portfolio of all activities.
The focus of good risk management is the identification and treat-
ment of these risks consistent with the organisation’s risk appetite.Valuable frameworks exist for risk management:
◆ The Risk Management Standard (Institute of Risk Management,
2002)
◆ Enterprise Risk Management – Integrated Framework , Committee
of Sponsoring Organisations of the Treadway Commission
(COSO, 2004)
◆ Enterprise Governance: Getting the Balance Right (CIMA, 2003).
In theoretical terms, a distinction has been made between event-
uncertainty, commonly viewed as risk, and information-uncer-
tainty (Galbraith, 1977). Two of Galbraith’s four organisational
design strategies, the creation of slack resources, and the creation
of self-contained tasks reduce the need for information processing
because of lower performance standards. The other two, investing
in vertical information systems, and creating lateral relations
increase the organisational capacity to process information.
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
22
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 52/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
23
Risk can be thought about by reference to the existence of internal
or external events, information about those events (i.e. their visi-
bility), managerial perception about events and information (i.e.
how they are perceived), and how organisations establish
tacit/informal or explicit/formal ways of dealing with risk. There is
a distinction between objective, measurable risk and subjective,perceived risk.
Research shows that we know little about how managers consider
risks (Bettis and Thomas, 1990) but managers do take risks, based
on risk preferences at individual and organisational levels (March
and Shapira, 1987). Some of these risk preferences vary with
national cultures (Hofstede, 1980; Weber and Hsee, 1998). Some
are individual traits (Weber and Milliman, 1997).
The ‘risk thermostat’ (Adams, 1995) recognizes that risk propensity
varies based on the risk/reward trade-off and how these are bal-
anced against perceptions of danger. Douglas and Wildavsky (1983)
explained risk perception as a cultural process, commenting that
each culture, each set of shared values and supporting social insti-
tutions is biased toward highlighting certain risks and downplay-
ing others. We termed this the ‘social construction’ of risks.
We adapted the four ‘ideal types’ developed by Adams (1995): fatal-ists (or risk sceptical), hierarchists, individualists, and egalitarians (or
risk aware), as ‘risk stances’ as a means of exploring and understand-
ing individual and organisational risk management practices.
The Combined Code on Corporate Governance (Financial Reporting
Council, 2003) is an important motivator for risk management and
internal control practices. Internal control is the whole system of
internal controls, financial and otherwise, established in order to pro-
vide reasonable assurance of effective and efficient operation, inter-nal financial control, and compliance with laws and regulations.
However, as profits are, in part, the reward for successful risk taking
in business then the purpose of internal control is to help manage
and control risk appropriately rather than to eliminate it.
Nevertheless, there is the possibility of the illusion of control. The
changing role of management accountants is also an important factor
in establishing the context for their role in risk management and
wider views of management control.
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 53/189
24
This page intentionally left blank
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 54/189
2Exploratory case studies
25
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 55/189
26
This page intentionally left blank
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 56/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
27
Purpose
The purpose of the exploratory case studies was to understand the
relationship between risk and budgeting. This involved considera-
tion of how risk was enacted in budgeting and how managerial
perceptions of risk influenced the process and content of budgets.
The study was designed to explore the observation made by Berry
et al. (1995) that:
what one sees in a financial plan, especially one which is pro-
jected on a spreadsheet as single-point estimates over ten years,
might be one where the problem of uncertainty has been set aside.
Discussions of risk in management accounting texts are most com-
monly linked to rational concepts and the use of probability, pri-
marily in the context of capital budgeting decisions, to reflectunpredictability. Risk modelled budgeting was conjectured as a
descriptive model of the environment–organisation interface
through input–output modelling which assumes knowledge of the
means–ends transformation process.
On the other hand, observation of practice has revealed that organ-
isations may conceive of the budgetary system as a rational system
and seek to close it off from external influence. Budgets are often
single-point estimates rather than a range of possible outcomesdetermined through sensitivity analysis. In essence, this is a budg-
etary system designed within an implicit protective boundary.
Here, risk is explicitly excluded from the budgetary system and is
managed in some other domain. Hence, the risk excluded form of
budget was proposed.
Where organisations give attention to environmental influences,
while simultaneously creating a protective boundary, albeit in dif-
ferent elements of the budgetary system, a risk considered form of
budgeting was conjectured.
Research design
The exploratory case study was chosen as the most suitable
method because it enabled a study of the budgeting process and the
perceptions of various organisational participants as distinct from
the content of budgetary documents.
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 57/189
The selection of cases included both business and not-for-profit
sectors. Within the business sector, the researchers wanted to
consider separately large and smaller organisations. Within the
not-for-profit sector, the researchers wanted to study a public sec-
tor organisation and a voluntary organisation. By selecting four
very different organisations, the researchers’ intent was to identifyany similarities and differences in approaches to risk in the process
of budgeting.
The study was a pilot study funded by the Chartered Institute of
Management Accountants (CIMA) and conducted in each of the
four organisations during 2000. These organisations are referred to
as S, T, P and Q respectively. S was a plant of a multinational
Fortune 500 automotive parts supplier, an assembler and sequencer
of parts for a single customer, which exhibited the characteristics of a multinational. T was a manufacturing firm, a subsidiary of an
unlisted management buyout. P was a non-metropolitan police
force. Q was a voluntary sector organisation that provided both
direct services to clients through funded projects and contributed to
national policy debates. The major form of data collection was from
interviews during site visits with some observation.
These cases were not selected to be in any way representative of
larger groups, but as diverse organisations that might illustrate dif-ferent approaches to risk and budgeting. They were, however, all
parts of larger national organisations. This resulted in the (deliber-
ate) exclusion of financial market issues from the study.
The detailed research results were published by Elsevier in
Management Accounting Research (Collier and Berry, 2002).
Research findings
Risk
At the time of the research visits it was observed that each of the
case study organisations was facing a mini-crisis involving risk. S
was in negotiations with its single customer. Managers in T were
expressing significant concerns over the viability of the business in
the face of a steady decline in sales and poor delivery performance.
P had presented options to its police authority in relation to the
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
28
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 58/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
29
precept – the police component of the council tax – that would
determine the number of police officers. Q faced press reports and
public anger about paedophile activity that influenced fund raising
and public support. Each example enhanced the interviewees’ gen-
eral perceptions of risk with situation-specific illustrations of risk
as it pertained to the process and content of the budget.
The consequences of risk varied for each organisation. For S,
financial risk was high for the plant studied due to its dependence
on a single customer, although it shared operational risk with its
logistics and computer systems suppliers. However for S’s parent,
the plant was only one among many. For T, the principal risk was
the removal of financial support by institutional investors or, oper-
ationally, the degradation of customer satisfaction with delivery
such that the level of business would continue to decline. For P therisk, given a cash-limited budget, was the inability to satisfy pub-
lic demand given the ‘squeeze’ on resources and the local political
impact of the trade-off between police numbers and an increased
council tax levy. For Q, the primary risks were to its reputation as
a result of press coverage and the consequential risk to the conti-
nuity of funding, as well as the personal risk to employees and vol-
unteers coping with high levels of stress and anxiety.
Budgets
In each case, the researchers asked interviewees about the process
of budgeting that was used in their organisations. It became evident
in each organisation that, despite managerial perceptions of risk,
these perceptions were not evident in the budget process or the
content of the budget document. In S and T, top-down budgets
were established by the parent boards with no explicit regard to
risk. In P, once the budget was set by the police authority, there was
little financial risk due to the predictability of cash flows. In Q,
budgeting took place within known grants and resource allocations
from the national body.
In each case, budgeting was top-down, driven either by targets or
cash limits. Despite the managerial perceptions of risk that covered
wide-ranging issues, the budgeting process was largely protected
from the influence of those perceptions. It was as though the budget,
with well understood imperfections, was a point of stability in
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 59/189
turbulent worlds. In all four cases the process was of risk exclusion
from budgets, but not from the processes of budgeting.
Risk construction and domains of risk
Risk was constructed by managers of S in a narrow sense, mainlyfrom a technological, systems-based perspective. This was a result of
the finite boundaries that had been put around the business unit,
first, as a single customer plant and secondly, as a subsidiary of a
Fortune 500 company. In S, operational and financial risk was inter-
related. The single customer risk was offset in contractual terms that
minimised volume variations and passed on price increases during
the contract period. The most substantial risk, of contract failure,
was insignificant given S was a business unit of a multinational
company. Financial risk in terms of the expected return, while not
meeting parent targets, was considered satisfactory because there
was little investment in plant and lease obligations could be passed
to the customer given six months’ notice of termination.
T’s boundaries were defined by the exit strategy of its investor and
also in relation to the organisation’s history, technology and product
range being out of step with market changes. This may be evidence
of a prior process of mis-construction of risk. There was evidencefrom the interviews that understanding of risk was being recon-
structed before, during and presumably after the time of the study.
The main risks to T were the loss of investor support and retaining
sales in a very competitive market. These risks were exacerbated by
the poor flexibility evident in its equipment capability and the work-
ing practices of its employees, together with difficulties that had led
to poor delivery performance that could easily result in lost business.
The construction of risk was also a continuing aspect of P’s worldthat combined uncertain demand, limited resources and unclear
and ambiguous relationships between inputs and outcomes. P was
continually aware of the social and political risks that were associ-
ated with national expectations of productivity improvements and
financial constraints. In P, the research identified the notional sep-
aration of operational and financial risk, given the absence of con-
nection between demand and resources. These were becoming
more closely connected as the operational implications of financial
constraint were being recognised. What was particularly evident in
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
30
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 60/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
31
P was the political risk in managing relations between the police
force, the Home Office, the police authority and local authorities
over decisions about the level of precept (tax).
Q understood how funding agencies and the public saw the issues
with which they were trying to deal. For Q, risk was constructed in
relation to clients and their families and in relation to the effect on
staff. There was an enhanced awareness of organisational and per-
sonal functioning in relation to personal risk that fed into manage-
rial processes and roles. In Q, the operational risk was evident in
the need to maintain the organisation’s reputation while simultane-
ously being innovative. Financial risk was represented by fund rais-
ing constraints imposed by the outcome rationality of funding
agencies and perceptions of the public. Particularly evident was the
need to balance the delivery of project outcomes with the personalrisk to its staff and how this was addressed by training and by man-
agers’ monitoring how well staff handled difficult situations.
In each of the four organisations the context of unique circum-
stances, history and technology had led to different processes of
construction of ideas about risk. In the private sector firms S and T,
this came from a form of economic and technical rationality, them-
selves strongly influenced by economic ideology. In P and Q it
came from social, political and ideological change.
The cases differently illustrated the manner in which organisations
and their actors created domains in which risk could be under-
stood and managed. Four domains of risk – financial, operational,
political and personal – were found to exist and could be observed
to each of the four cases, albeit in different degrees. Risk was per-
ceived in each of these domains, but these domains were isolated
from the budgeting process that was dominated by target setting or
the imposition of cash limits. It was perhaps inevitable that these
differing social constructions, reflected in different domains, led to
differences between the process and content of budgeting.
Process and content of budgets
In S, the budgeting process reflected a compromise between the
parent company targets and the single-customer volume and price
negotiations. In T, the budgeting process was top-down, with sales
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 61/189
projections driving standard production costs and profitability tar-
gets that had to meet short-term investor targets. In P, no represen-
tation of risk appeared in the budget, other than tacitly in the
reserves carried forward at year-end. The calculations presented to
the police authority did, however, reflect a consideration of the
impact of various budgetary outcomes on the number of police offi-cers, and hence – albeit implicitly – on operational effectiveness.
In Q, financial risk was considered in the planning process both
nationally and at the regional level, although the budgets were con-
structed on the basis of best estimates of funding and expenditure.
An analysis of these cases suggests that the process of budgeting
and the resulting content of the budget may take any of the three
forms identified earlier: risk excluded, risk considered or risk mod-
elled. Using this schema, the process of budgeting in all four caseswas characterised as risk considered, in which a top-down budget-
ing process reflected negotiated targets. The content of budget doc-
uments were risk excluded, being based on a set of single-point
estimates, in which all of the significant risks were excluded from
the budget itself. The one exception was P, in which there was evi-
dence of risk considered processes in the papers prepared for the
police authority for their decision about the precept. Risk consid-
eration was also implicit in the reserves maintained by P for unpre-dictable operational and pension contingencies.
There was no evidence at the business unit level of any formal risk
modelling and an absence of discussion about any input–output
relationships. No manager, in any of the four cases, suggested any
calculation or use of probabilities (as March and Shapira (1987)
suggested). Some elements of risk modelling were possible – at
least implicitly – within S, but only because the nature of its sin-
gle-customer business with (± 3 per cent) volume certainty and theability to pass most cost increases to the customer, provided the
ability to predict most of the financial outcomes.
This suggests that budgeting, as a rational system, was separate from
the managerial perspective (implied by the views of budget ‘partici-
pants’) that reflected the location of risk in the interface between
organisation and environment. There are significant consequences
for the management of risk in this separation as budgeting did not
appear, in any of the four cases, to be a tool used in risk management,nor was risk evident in the risk excluded budgetary documents.
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
32
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 62/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
33
Summary of main case study findings
The findings from the four case studies reveal differences based on
the contexts of unique circumstances, histories and technologies of
the organisations. The four cases illustrate how the different social
constructions of participants in the budgeting process influenced
the domains – or alternative lenses – through which the process of
budgeting took place and how the content of the budget was deter-
mined. However, the research identified some similarities in the
four cases summarised as follows:
1. Four domains of risk were observed, reflecting the different
social constructions of participants – financial, operational,
political and personal. These domains were important in under-
standing how risk was perceived in the budgeting process. Riskwas perceived in each of these domains, but these perceptions
were isolated from the rational budgeting process that was dom-
inated by top-down targets or cash limits.
2. As previously stated, the process and content of budgeting was
categorised as risk modelled, risk considered or risk excluded.
There was little direct evidence of risk modelling in the four
cases and a minor reflection of risk consideration in one case.
The process of budgeting in all four cases was characterised as
risk considered, in which a top-down budgeting process
reflected negotiated targets. The content of budget documents
were risk excluded, being based on a set of single-point esti-
mates, in which all of the significant risks were excluded from
the budget itself. The separation of budgeting and risk manage-
ment had significant consequences for the management of risk
as the process of budgeting needs to be considered separately
from the content of budget documents. This has implications for
where risk is held within organisations.3. Risk transfer took place between and within organisations. Risk
transfer may be a response to avoid the problems implied by the
separation of a budget that is risk excluded from a budgeting
process that is risk considered. This response may be a reaction
to the lack of ‘participation’ by budget holders and the risk per-
ceptions held by managers.
4. Managers ‘held’ risk and provided containment for the anxiety of
others. Risk containment is a particular type of risk transfer, fromthe organisation to its managers, which takes place in relation to
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 63/189
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 64/189
3Survey research
35
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 65/189
36
This page intentionally left blank
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 66/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
37
Introduction
Following the case studies, it was decided to undertake a survey of
organisations in the UK to examine risk management practices and
the role of management accountants in risk management.
Solomon et al. (2000) built on the Turnbull Report to develop aframework for internal control, risk management and risk disclo-
sure. These research findings indicated that institutional investors
do not favour a regulated environment for corporate risk disclosure
or a general statement of business risk, although respondents
agreed that increased risk disclosure would assist in portfolio
investment decisions.
This chapter describes the survey design, the survey instrument,
the method of analysis and the results of that analysis.
Survey design
Risk management practices
Much of the financial and governance literature rests in the tradi-
tion of normative theorising or injunction. There was little research
that set out to explain the degree to which the organisational prac-tice of risk management was influenced by considerations of
economic rationality and corporate governance. The research
reported here aimed to understand the drivers and practice of risk
management and the consequences for performance for the organ-
isations. A subsidiary theme was the role of accountants in risk
management. The research builds on prior research in this area,
such as that by Helliar et al. (2002).
From rational considerations it was conjectured that risk manage-ment practices would be a function of the degree of environmental
uncertainty which organisations perceive to be affecting them. It
was expected that the higher the degree of environmental uncer-
tainty then the more complex and advanced would be risk man-
agement practices.
Hence, we sought to observe:
1. The use of basic methods of risk management (Q2.18; 5 elements;5 pt scale)
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 67/189
2. The use of advanced methods of risk management (Q2.18; 3
elements; 5 pt scale)
3. The perceived degree of environmental uncertainty faced by
the organisation (Q2.6; 4 elements; 5 pt scale).
(References here are to particular questions in the survey instru-
ment, see Appendix 1).
It was conjectured that risk management practices would be a func-
tion of the risk stance of the organisation. The risk stance of the
organisation was inferred from the degree to which organisational
risk management was designed to take advantage of risk as oppor-
tunity (an economic rationale, and corporate governance rationale)
and the degree to which organisational risk management was
designed to provide protection from risk (corporate governancerationale). The risk management stances were derived from Douglas
and Wildavsky and Adams and are shown in Figure 1.1 (see p. 18).
It was decided to change the Douglas and Wildavsky term ‘egalitar-
ian’ and substitute the term ‘risk aware’ to describe organisations
that might be high on both aspects of the risk management approach
and to use the term ‘risk sceptical’ (rather than fatalist) to describe
organisations that would score low on both aspects.
Hence, we also sought to observe:
4. The degree to which the organisation’s risk management was
designed to protect the organisation (Q2.12; 5 pt scale)
5. The degree to which the organisation’s risk management was
designed to take advantage of opportunities (Q2.12; 5 pt scale).
To check respondent bias we sought individual respondents’ views
of these two questions (Q1.4; 5 pt scales).
It was observed from the case studies that risk was absent from the
formal financial statements but considered in the processes of
financial management. Hence, to approach this finding it was
decided to observe whether risk was considered in the processes of
planning. The case studies had indicated that risk management
may have some supporting policies. Hence, we sought to observe:
6. The degree to which risks were ‘factored into’ organisational
planning (Q2.19; 6 elements; 5 pt scales)
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
38
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 68/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
39
7. The degree to which there were supporting policies and cul-
ture (Q2.9; 9 elements; 5 pt scale).
There have been very few studies (if any) which have been able to
measure the consequences for organisational performance arising
from risk management practices. Hence, we sought to observe:
8. The degree to which risk management practices have led to
improved performance (Q2.21; 6 elements; 5 pt scale).
Corporate governance is substantially directed to improving the
relationship with stakeholders and perhaps involving stakeholders
in corporate management. Hence, we sought to observe:
9. The degree to which stakeholders were involved in risk man-
agement in the organisation (Q2.15; 4 elements; 5 pt scales)
and
10. The degree to which risk management practices have led to
improved relationships with stakeholders (Q2.21; 3 elements;
5 pt scales).
The conjectured relationships are shown in Figure 3.1.
It has been observed that individual and organisations may be held
to have a propensity for taking risks – a risk ‘appetite’. Hence, wesought to observe:
11. The individual and organisational propensity to take risks
(Q1.2, 1.3, 2.10 and 2.11; 2 elements in each; 5 pt scales).
Perceived
environmental
uncertainty
Risk stance
Risk factored into
planning
Supporting procedures
Risk management
practices performance
Improved
External regulation
Figure 3.1 Conjectured relationships in our study
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 69/189
In order to ascertain organisations’ perceptions of the ‘drivers’ of
risk management, we sought to observe:
12. Organisation’s perceptions of the significance of a range of risk
drivers: legislation, regulatory bodies, expectations of share-
holders and analysts, competitive business environment, cus-tomers/clients, critical events, and the board (Q2.8; 5 pt scales).
Finally, in order to examine whether organisational size or type
(private sector, public sector, manufacturing or service provision)
affected risk management practices, we sought to observe:
13. Age, size and type of organisation (Q2.1, 2.2, 2.3, 2.4, and 2.5;
single item responses).
The role of accountants in risk management
The role of accountants in risk management was a subsidiary
theme. This was not to discount the importance of financial
accountants in the disclosure of risk (following Solomon et al.,
2000), but reflected the role of management accountants in risk-
based internal control (after Spira and Page, 2003). Hence, we
sought to observe:
1. The job title of the person primarily accountable for four ele-
ments of risk management: identifying, analysing and assess-
ing, deciding on action, reporting and monitoring risks (Q2.14;
8 elements; single response)
2. The degree of involvement of management accountants in risk
management (Q2.17; 2 elements; 4 pt scale)
3. The integration of management accounting and risk manage-
ment functions (Q2.16; 5 pt scale).
In addition to these items, we sought observations on:
4. Trends in risk management practice, past, present and future
(Q2.13; 4 elements; 3 pt scale)
5. The use of risk management approaches of transferring, reduc-
ing and mitigating (Q 2.20, 2 elements; 5 pt scales)
6. The perceived relationship of costs and benefits of risk man-
agement (Q. 2.22; 5 pt scales).
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
40
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 70/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
41
The survey design is shown diagrammatically in Figure 3.2. Our
framework suggested that risk management practices in organisa-
tions would likely be adopted and maintained as a consequence of
various drivers: external regulation, environmental factors, demo-
graphic factors and the organisational risk propensity (or appetite).
The role of management accountants in risk management was asubsidiary theme. Finally, the perceived effectiveness of risk man-
agement practices was sought.
The survey instrument
As part of the design process, six interviews were conducted with
managers responsible for risk management. In addition, there was
an interview with the chief executive of a professional associa-
tion of risk managers. The research instruments were tested for
comprehension on ten respondents, which included all those we
had interviewed as part of the survey design process as well as
other respondents we approached who had no involvement in the
survey design. Following advice from interviewees, the survey
External regulation
(Turnbull, Combined Code, etc.)
Environment (Industry/sector)
Competitive intensity
Risk/uncertainty
Organisational demographics
Ownership structure
Industry, size (turnover/employees)
Risk propensity
Other drivers Risk management practices
Policy, procedure, methods, etc.
Involvement of accountants/
accounting in risk management
Perceived effectiveness of
risk management
Figure 3.2 Framework for risk management practices in organisations
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 71/189
was compressed into a four page printed document (see
Appendix 1) in order to make it easier to answer and hence
improve the response rate.
In line with research intent, the survey was directed to three
groups: large publicly quoted companies (FTSE), small and
medium sized organisations (SMEs) and accountants (CIMA mem-
bers). Survey responses in most cases required respondents to tick
a box on a 5-point Likert scale. There were two separate survey
instruments, although there were only minor differences between
the two, to reflect the knowledge that all CIMA members were
accountants, which modified two of the questions.
The research was undertaken using a postal survey instrument
mailed to 3000 named people, (2000 CIMA members; 500 FTSE
Directors and 500 SME Directors). CIMA produced a mailing list
of 5000 members based in the UK who had been members for more
than 3 years and had the word ‘accountant’ in their job title. We
randomly selected two from every five. For the FTSE sample we
obtained the details of UK companies listed on the London Stock
Exchange from www.londonstockexchange.com. Companies listed
on the Alternative Investment Market, Investment Companies and
Investment Entities were excluded, leaving a population of 1179.
These companies were arranged alphabetically and 500 compa-nies were randomly selected. The financial director’s name was
used in the first instance, but if this was unavailable, the chief
executive’s name was used. The covering letter accompanying the
questionnaire asked the named person or a nominee from their
senior management teams to complete the questionnaire.
Using FAME, UK SMEs were identified with a minimum turnover
of between £2 million and £11.2 million and a minimum number
of 50 employees. This effectively eliminated the very small busi-
ness sector and is in line with the Companies Act definition of an
SME. Five hundred companies were selected randomly from a total
population of 19 811 and the survey was addressed to the named
chief executive or managing director.
From the postal survey instrument targeted at the three groups –
stock exchange listed companies (FTSE), small & medium enter-
prises (SMEs) and CIMA members – there were 333 usable
responses, a rate of 11 per cent which was deemed adequate to
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
42
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 72/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
43
enable analysis, particularly as there were sufficient responses over
each of the three survey groups to provide statistical tests. The
responses are shown in Table 3.1.
An additional theme of the study was to explore whether the risk
stance of the company was related to its market performance (val-
uation). However, in the survey, respondents were permitted to
provide a response without identifying their organisation by name,
hence, this additional part of the research was limited by the avail-
able data. It was conjectured that the risk stance would be associ-
ated with market valuation. Because risk awareness was
considered to be a more sophisticated risk stance it was conjec-
tured that the risk aware companies would be favourably viewed
by the market.
Survey analysis
In this report, the different survey group responses are largely
omitted except where they are relevant to the conclusions drawn.
The raw survey data was entered into SPSS and examined to check
the distributions of the scales. A preliminary statistical analysis
suggested that the scale elements for the variable under examina-tion were highly correlated. Factor analysis was used on the raw
data which produced ‘group’ responses for the variables. These
items were subjected to principal components analysis using SPSS.
Cronbach’s alpha coefficient was used to measure the internal
consistency of the eleven ‘groups’ (Table 3.2). Based upon the new
Table 3.1 Summary of survey responses
Sample
CIMA FTSE SME Total
Questionnaires issued 2000 500 500 3000
Total responses 259 63 47 369
Response rate (%) 13 12.6 9.4 12.3
Non-usable responses 17 13 6 36
Usable responses 242 50 41 333
Usable response rate (%) 12.1 10.0 8.2 11.1
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 73/189
group variables, comparisons of the responses of CIMA, FTSE and
SME groups were made. Following the statistical analysis, the find-
ings were explored with a small number of risk management
professionals, management accountants and SME managers who
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
44
Table 3.2 Factor analysis
Group construct description Factor analysis
No.of Cronbach’s Mean Std
items alpha dev.
Total sample
1 Degree of uncertainty & risk faced 3 0.7985 3.46 0.71
2 Change in uncertainty & risk faced 3 0.8039 3.84 0.60
3 Supporting processes and culture 8 0.8833 3.44 0.67
4 Stakeholder involvement 4 0.6806 2.87 0.785 Usage rate of basic methods 4 0.6696 2.76 0.87
6 Usage rate of technical methods 2 0.7590 1.91 0.99
7 Effectiveness of basic methods 4 0.6913 2.75 0.87
8 Effectiveness of technical methods 2 0.7735 2.01 1.02
9 Risks factored into organisational planning 6 0.8784 3.37 0.83
10 Improved performance 9 0.8942 2.93 0.72
11 Improved external relationships 3 0.8131 2.49 0.89
CIMA
1 Degree of uncertainty & risk faced 3 0.7900 3.44 0.732 Change in uncertainty & risk faced 3 0.7983 3.89 0.59
3 Supporting processes and culture 8 0.8867 3.37 0.69
4 Stakeholder involvement 4 0.6728 2.87 0.76
5 Usage rate of basic methods 4 0.6961 2.72 0.89
6 Usage rate of technical methods 2 0.7423 2.02 1.03
7 Effectiveness of basic methods 4 0.7324 2.68 0.89
8 Effectiveness of technical methods 2 0.7688 2.13 1.06
9 Risks factored into organisational planning 6 0.8795 3.26 0.83
10 Improved performance 9 0.8937 2.87 0.7211 Improved external relationships 3 0.8275 2.50 0.90
FTSE
1 Degree of uncertainty & risk faced 3 0.8098 3.59 0.68
2 Change in uncertainty & risk faced 3 0.8602 3.73 0.63
3 Supporting processes and culture 8 0.8111 3.66 0.50
4 Stakeholder involvement 4 0.7415 2.83 0.84
5 Usage rate of basic methods 4 0.5107 3.04 0.78
6 Usage rate of technical methods 2 0.7989 1.70 0.93
7 Effectiveness of basic methods 4 0.4644 3.10 0.728 Effectiveness of technical methods 2 0.7739 1.85 0.99
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 74/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
45
helped to inform the interpretation of, and explanations for the sta-
tistical results.
The relationships between the grouped variables were investigated
for the total responses and each of the survey groups. Chi-square tests
were used to analyse relations between categorical variables such as
risk propensity and survey family. We also used one-way ANOVA
(analysis of variance) to determine if there were any significant dif-
ferences in mean scores across the three survey groups. Spearman’srank order correlation (rho) was used to calculate the strength of rela-
tionship between the groups, which are shown in Table 3.3. The cor-
relations present what appears to be a coherent view of risk taken by
respondents. The correlations also suggest that respondents had a
commonality of view of notions of uncertainty and risk.
Appendix 2 contains more detailed statistical information in rela-
tion to those tables in the text which contain only mean and stan-
dard deviation data.
Table 3.2 (Continued )
Group construct description Factor analysis
No.of Cronbach’s Mean Std
items alpha dev.
9 Risks factored into organisational planning 6 0.8595 3.58 0.7510 Improved performance 9 0.8876 2.95 0.71
11 Improved external relationships 3 0.8137 2.36 0.92
SME
1 Degree of uncertainty & risk faced 3 0.8456 3.46 0.69
2 Change in uncertainty & risk faced 3 0.7352 3.67 0.60
3 Supporting processes and culture 8 0.8901 3.58 0.62
4 Stakeholder involvement 4 0.6497 2.90 0.81
5 Usage rate of basic methods 4 0.6494 2.70 0.85
6 Usage rate of technical methods 2 0.7826 1.54 0.617 Effectiveness of basic methods 4 0.5892 2.72 0.83
8 Effectiveness of technical methods 2 0.7873 1.60 0.72
9 Risks factored into organisational planning 6 0.8723 3.70 0.76
10 Improved performance 9 0.8924 3.23 0.66
11 Improved external relationships 3 0.7224 2.61 0.78
Std dev. : standard deviation
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 75/189
Risk and Managemen4 6
Table 3.3 Correlations of grouped responses
1 2 3 4 5 6 7Total sample
Degree of uncertainty & risk faced 1
Change in uncertainty & risk faced 2 0.295**
Supporting processes & culture 3 0.111* -0.087
Stakeholder involvement 4 0.083 -0.032 0.078
Usage rate of basic methods 5 0.023 0.055 0.497** 0.095
Usage rate of technical methods 6 0.120* 0.050 0.373** 0.246** 0.508**
Effectiveness of basic methods 7 -0.057 0.017 0.463** 0.102 0.847** 0.447**
Effectiveness of technical methods 8 0.062 0.015 0.302** 0.216** 0.425** 0.836** 0
Risks factored into organisational
planning 9 0.083 -0.065 0.398** 0.212** 0.320** 0.301** 0
RM has improved performance 10 0.080 0.040 0.491** 0.205** 0.357** 0.423** 0
RM has improved external
relationships 11 0.055 -0.047 0.289** 0.466** 0.290** 0.411** 0
CIMA
Degree of uncertainty & risk faced 1
Change in uncertainty & risk faced 2 0.280**Supporting processes & culture 3 0.092 -0.054
Stakeholder involvement 4 0.098 -0.062 0.102
Usage rate of basic methods 5 0.016 0.095 0.505** 0.054
Usage rate of technical methods 6 0.141* 0.038 0.435** 0.251** 0.550**
Effectiveness of basic methods 7 -0.051 0.059 0.466** 0.101 0.848** 0.507**
Effectiveness of technical methods 8 0.023 -0.035 0.388** 0.261** 0.498** 0.845** 0
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 76/189
a g e m e n t A c c o u n t i n g4 7
Risks factored into organisational
planning 9 0.094 -0.041 0.431** 0.272** 0.342** 0.450** 0
RM has improved performance 10 0.070 0.046 0.524** 0.238** 0.359** 0.511** 0
RM has improved external
relationships 11 0.080 -0.035 0.306** 0.442** 0.273** 0.414** 0
FTSEDegree of uncertainty & risk faced 1
Change in uncertainty & risk faced 2 0.261
Supporting processes & culture 3 0.160 -0.022
Stakeholder involvement 4 0.107 0.052 0.171
Usage rate of basic methods 5 -0.007 0.102 0.436** 0.184
Usage rate of technical methods 6 0.255 0.193 0.531** 0.257 0.420**
Effectiveness of basic methods 7 -0.078 0.064 0.359* -0.005 0.789** 0.344*
Effectiveness of technical methods 8 0.454** 0.218 0.364* 0.101 0.267 0.840** 0
Risks factored into organisational
planning 9 -0.122 -0.150 0.284 0.024 0.044 0.050 0
RM has improved performance 10 0.079 0.039 0.495** 0.262 0.330* 0.340* 0
RM has improved external
relationships 11 -0.010 -0.061 0.504** 0.605** 0.305* 0.387** 0
SME
Degree of uncertainty & risk faced 1
Change in uncertainty & risk faced 2 0.529**
Supporting processes & culture 3 0.135 -0.168Stakeholder involvement 4 -0.004 0.116 -0.146
Usage rate of basic methods 5 0.043 -0.131 0.415** 0.188
Usage rate of technical methods 6 -0.130 -0.284 0.178 0.339* 0.585**
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 77/189
Risk and Managemen4 8
Table 3.3 (Continued )
1 2 3 4 5 6 7
Effectiveness of basic methods 7 -0.132 -0.184 0.432** 0.231 0.878** 0.489**
Effectiveness of technical methods 8 -0.175 -0.223 0.089 0.223 0.383* 0.745** 0
Risks factored into organisational
planning 9 0.155 0.082 0.182 0.147 0.459** 0.146 0
RM has improved performance 10 0.047 0.109 0.258 -0.132 0.509** 0.321* 0
RM has improved external
relationships 11 -0.046 -0.169 0.105 0.396* 0.516** 0.494** 0
** Correlation is significant at the 0.01 level (2-tailed). * Correlation is significant at the 0.05 level (2-tailed)
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 78/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
49
Survey results
Demographics
There were no significant correlations between either the owner-
ship structure of the organisation or the nature of business and any
of the grouped data. We did find some significant positive correla-tions (at the 0.01 level) with the size of the organisation and the use
of basic and sophisticated methods of risk assessment and man-
agement. There was therefore little evidence of any contingent
explanations for risk management based on either size or business
sector. This finding differed from the implication of that of
Liebenberg and Hoyt (2003) who found no effect of size.
Environmental uncertainty
There was no significant correlation between environmental uncer-
tainty and risk (or the change in uncertainty and risk) and other
group variables. This negated one of the assumptions in the con-
ceptual framework, that environmental uncertainty and risk would
influence risk management practices. It is possible the respondents
regarded the question as too abstract and would assume that the
various aspects of the environment were subsumed in the mannerin which risks were factored into planning.
Respondents rated competitive intensity and degree of uncertainty
in their industry/sector, as well as the degree of risk faced by the
organisation and the sector. This is shown in Table 3.4 (Appendix 2
contains expanded statistics for this table).
Overall, CIMA respondents were more risk concerned than the
other respondent groups in relation to their organisations, despite
having a lower perception of competitive intensity and uncertainty
in their industry/sector.
Drivers of risk management
Table 3.5 shows that the strongest drivers of risk management were
the board/top management, legislation and the competitive busi-
ness environment. Appendix 2 contains expanded statistics for this
table.
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 79/189
There was general agreement in the responses that legislation, regu-
latory bodies, the board/top management and the competitive busi-
ness environment were important drivers of risk management. This
is in contrast to the finding above that competitive intensity was not
an important driver. However, the high ‘agree’ response to all the
drivers raises questions about the value of these responses. Duringfollow-up interviews the importance of compliance with legislation
as the dominant driver for many organisations was emphasised.
The extent to which shareholders and analysts, suppliers, cus-
tomers, and banks and financiers were involved in risk manage-
ment in the respondents’ organisations is shown in Table 3.6
(Appendix 2 contains expanded statistics for this table).
These results suggested that risk management was driven by an
institutional response to calls for improved corporate governance,
which may reflect both protection and economic opportunity. The
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
50
Table 3.4 Competitive intensity, uncertainty and risk
*Mean Std dev.
Total sample
Degree of competitive intensity in the industry/sector 3.56 1.18
Degree of uncertainty in the industry/sector environment 3.43 0.94Degree of risk faced by the organisation 3.46 0.81
Degree of risk faced within industry/sector 3.50 0.79
CIMA
Degree of competitive intensity in the industry/sector 3.42 1.26
Degree of uncertainty in the industry/sector environment 3.37 0.96
Degree of risk faced by the organisation 3.45 0.83
Degree of risk faced within industry/sector 3.48 0.79
FTSE
Degree of competitive intensity in the industry/sector 3.88 0.90Degree of uncertainty in the industry/sector environment 3.59 0.81
Degree of risk faced by the organisation 3.54 0.76
Degree of risk faced within industry/sector 3.61 0.81
SME
Degree of competitive intensity in the industry/sector 4.05 0.77
Degree of uncertainty in the industry/sector environment 3.56 0.90
Degree of risk faced by the organisation 3.37 0.70
Degree of risk faced within industry/sector 3.46 0.78
* 1 = very low; 5 = very high. Std dev.: standard deviation
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 80/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
51
external drivers of risk management practices, other than competi-
tive intensity, risk or uncertainty, were observed to be external
stakeholders and the demands of regulators and legislation, enacted
through boards of directors which were likely to exert influence
over the policies and methods adopted for risk management.
Table 3.5 Drivers of risk management
*Mean Std dev.
Total sample
Legislation (including Combined Code and Turnbull Report) 3.79 0.82
Regulatory bodies 3.79 0.83Expectations of shareholders/analysts 3.35 0.98
The competitive business environment 3.72 0.79
Customers/clients who demand it 3.51 0.90
A critical event or a near miss 3.54 0.97
Board/top management 3.84 0.70
CIMA
Legislation (including Combined Code and Turnbull Report) 3.80 0.81
Regulatory bodies 3.81 0.82
Expectations of shareholders/analysts 3.29 1.00The competitive business environment 3.70 0.80
Customers/clients who demand it 3.63 0.85
A critical event or a near miss 3.60 0.98
Board/top management 3.82 0.70
FTSE
Legislation (including Combined Code and Turnbull Report) 3.72 0.99
Regulatory bodies 3.64 0.94
Expectations of shareholders/analysts 3.66 0.89
The competitive business environment 3.66 0.87Customers/clients who demand it 3.00 0.96
A critical event or a near miss 3.20 0.95
Board/top management 3.88 0.75
SME
Legislation (including Combined Code and Turnbull Report) 3.80 0.68
Regulatory bodies 3.85 0.76
Expectations of shareholders/analysts 3.29 0.84
The competitive business environment 3.88 0.56
Customers/clients who demand it 3.41 0.92A critical event or a near miss 3.59 0.89
Board/top management 3.88 0.71
* 1 = strongly disagree; 5 = strongly agree. Std dev.: standard deviation
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 81/189
Risk propensity
Respondents were asked to identify their own propensity to take
risks and their organisation’s propensity to take risks. The results
are shown in Table 3.7 (Appendix 2 contains expanded statistics
for this table).
Respondents were also asked about the extent to which this propen-
sity had changed over the last two years. The results are shown in
Table 3.8 (Appendix 2 contains expanded statistics for this table).
Personal risk propensity was analysed by demographic character-
istics using the Chi-square test. There were no statistically signifi-
cant associations between risk propensity (risk averse, risk neutral
and risk willing) and organisation type, sector or size. Correlations
between personal views and the organisational approach of risktaking and risk management are shown in Table 3.9. As would be
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
52
Table 3.6 Stakeholder involvement in risk management
*Mean Std dev.
Total sample
Shareholders/analysts 2.63 1.16
Suppliers 2.66 1.04Customers 3.16 1.08
Banks/financiers 3.04 1.08
CIMA
Shareholders/analysts 2.60 1.16
Suppliers 2.66 1.01
Customers 3.18 1.06
Banks/financiers 3.03 1.08
FTSE
Shareholders/analysts 2.65 1.10Suppliers 2.65 1.16
Customers 3.00 1.10
Banks/financiers 3.10 1.08
SME
Shareholders/analysts 2.78 1.24
Suppliers 2.63 1.11
Customers 3.22 1.15
Banks/financiers 3.03 1.10
* 1 = strongly disagree; 5 = strongly agree. Std dev.: standarddeviation
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 82/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
53
Table 3.7 Propensity to take risks
*Mean Std dev.
Total sample
Personal propensity to take risks 3.14 0.90
Organisational propensity to take risks 3.03 0.95CIMA
Personal propensity to take risks 3.02 0.92
Organisational propensity to take risks 2.92 0.95
FTSE
Personal propensity to take risks 3.56 0.70
Organisational propensity to take risks 3.42 0.91
SME
Personal propensity to take risks 3.32 0.85
Organisational propensity to take risks 3.17 0.89
* 1 = refuse to take risks; 5 = keen to take risks. Std dev.: standard deviation
Table 3.8 Changing propensity to take risks
*Mean Std dev.
Total sample
Change in personal propensity to take risks in the last 2 years 3.06 0.82
Change in organisational propensity in the last 2 years 3.14 0.87CIMA
Change in personal propensity to take risks in the last 2 years 3.13 0.82
Change in organisational propensity in the last 2 years 3.19 0.86
FTSE
Change in personal propensity to take risks in the last 2 years 2.86 0.76
Change in organisational propensity in the last 2 years 2.88 0.77
SME
Change in personal propensity to take risks in the last 2 years 2.90 0.83
Change in organisational propensity in the last 2 years 3.17 0.97
* 1 = reduced significantly; 5 = increased significantly. Std dev.: standard deviation
Table 3.9 Personal propensity versus the organisation’s propensity
CIMA FTSE SME Total
Relationship between personal
propensity to take risk and the
organisation’s propensity to take risk 0.210** 0.460** 0.702** 0.332**
** Correlation is significant at the 0.01 level (2-tailed).
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 83/189
expected, the personal risk propensity variable and the organisa-
tional risk propensity variable were positively correlated (0.33**).
However, there was a marked difference between the samples sug-
gesting that the fit between personal propensity and organisational
propensity was not as strong for CIMA members (0.21**), as com-
pared to SME (0.702**) and FTSE (0.460**).
Attitudes to risk
Respondents were asked the extent to which they believed that risk
management was about avoiding negative consequences and
achieving positive consequences. Responses to both questions
were combined to compare personal and organisational risk
stances. The results are shown in Tables 3.10 and 3.11.
While 73 per cent of respondents agreed that risk management was
about avoiding negative consequences, 67 per cent believed it was
about achieving positive ones, and 48 per cent of responses agreed
that risk management was both about achieving positive conse-
quences and avoiding negative ones. The respondents viewed their
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
54
Table 3.10 Personal perspectives about risk management (%)
Risk management is about
achieving positive consequences
Disagree Neutral Agree Total
Disagree 2 1 11 14
Risk management is about Neutral 1 3 8 12
avoiding negative consequences Agree 10 15 48 73
Total 13 19 67 100
Table 3.11 Risk management in the organisation (%)
Risk management is about
achieving positive consequences
Disagree Neutral Agree Total
Disagree 1 1 5 7
Risk management is about Neutral 0 5 9 14
avoiding negative consequences Agree 14 22 43 79
Total 15 28 57 100
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 84/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
55
organisations as more concerned with avoiding negative conse-
quences (79 per cent) than about achieving positive ones (57 per
cent) with 43 per cent responding that it was about both in their
organisations.
The stance towards risk was considered, both individually and
organisationally, as an important determinant of risk management.
Risk was seen on an individual level as much about achieving pos-
itive consequences as avoiding negative ones. However, organisa-
tional risk management was more about avoiding negative
consequences. This suggests, at the organisational level, risk man-
agement was rather more likely to be about a defensive orientation
than an opportunistic one.
Risk processes and culture
Respondents were asked about the extent to which they agreed
with whether or not the organisation had a range of processes and
culture to support risk management and internal control. The
results are shown in Table 3.12 (Appendix 2 contains expanded
statistics for this table).
Overall, these responses suggest that more than half of respondentswere satisfied with their risk management processes and internal
control systems but weaker responses suggested that only about
half of respondents’ organisations felt that risks were understood
and embedded at the cultural level. The results also suggest that
CIMA respondents were less confident in the formal control sys-
tems and, surprisingly, that SME responses suggest a higher degree
of formality of controls than might have been expected.
Eighty-three per cent of respondents agreed that risk should bemanaged through a formal control system, but only 62 per cent
said it was managed formally in their organisations. Twenty-one
per cent of respondents agreed that it should be more a matter of
personal judgement, 25 per cent saying that this was how risk was
managed in their organisations. This has implications for infor-
mal, intuitive risk management processes. It suggests a heuristic
method of risk management is at work in contrast to the systems-
based approach that is associated with risk management in the
professional literature.
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 85/189
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
56
Table 3.12 Supporting processes and culture
*Mean Std dev.
Total sample
Your organisation has an effective risk management policy 3.50 0.90
Risks are well understood throughout your organisation 3.32 0.90Controlling risk is highly centralised within your organisation 3.21 1.04
Your organisation regularly reviews internal controls 3.76 0.83
Risk management is embedded in your organisation’s culture 3.23 1.00
Formal procedures are in place for reporting risks 3.51 0.95
The level of internal control is appropriate for the risks faced 3.47 0.84
Your organisation is effective at prioritising risks 3.27 0.86
Changes to risks are assessed and reported on an ongoing basis 3.41 0.92
CIMA
Your organisation has an effective risk management policy 3.42 0.92
Risks are well understood throughout your organisation 3.25 0.94
Controlling risk is highly centralised within your organisation 3.31 0.99
Your organisation regularly reviews internal controls 3.72 0.88
Risk management is embedded in your organisation’s culture 3.20 1.01
Formal procedures are in place for reporting risks 3.43 0.99
The level of internal control is appropriate for the risks faced 3.38 0.86
Your organisation is effective at prioritising risks 3.18 0.87
Changes to risks are assessed and reported on an ongoing basis 3.31 0.93
FTSE
Your organisation has an effective risk management policy 3.86 0.79
Risks are well understood throughout your organisation 3.51 0.77
Controlling risk is highly centralised within your organisation 2.80 1.15
Your organisation regularly reviews internal controls 3.96 0.50
Risk management is embedded in your organisation’s culture 3.37 0.95
Formal procedures are in place for reporting risks 3.82 0.73
The level of internal control is appropriate for the risks faced 3.65 0.66
Your organisation is effective at prioritising risks 3.45 0.79
Changes to risks are assessed and reported on an ongoing basis 3.69 0.87
SME
Your organisation has an effective risk management policy 3.51 0.78
Risks are well understood throughout your organisation 3.51 0.71
Controlling risk is highly centralised within your organisation 3.10 1.07
Your organisation regularly reviews internal controls 3.78 0.85
Risk management is embedded in your organisation’s culture 3.24 0.97
Formal procedures are in place for reporting risks 3.59 0.87
The level of internal control is appropriate for the risks faced 3.78 0.79
Your organisation is effective at prioritising risks 3.59 0.74
Changes to risks are assessed and reported on an ongoing basis 3.63 0.86
* 1 = strongly disagree; 5 = strongly agree. Std dev.: standard deviation
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 86/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
57
The correlations in Table 3.3 reveal strong relationships between:
1. supporting processes and culture and the usage of basic and
technical methods of risk management
2. risks being factored into plans and improved performance and
external relationships3. stakeholder involvement and risks being factored into plans,
improving performance and external relationships
4. the use of various methods of risk management and risks being
factored into plans, improved performance and external rela-
tionships.
Trends in risk management approach
Respondents indicated whether risk was not considered, consid-
ered tacitly, but not documented or formally managed, considered
and formally documented in a systematic way, or considered, doc-
umented and used to aid decision-making, all in relation to three
time periods – two years ago, currently, and the planned approach
in the next two years.
The responses to the approach to risk in the past, present and
future are summarised in Figure 3.3. This reflects the respondents’experience that risk has shifted from being considered tacitly to
being considered more formally and their expectation that this
trend will shift markedly to a more holistic approach with risk
being used to aid decision-making.
A trend in risk management observed was from risk being consid-
ered tacitly in the past to it being considered formally in the present,
Risk not considered
Risk considered tacitly
Risk considered in asystematic way
Risk considered, andused to aid decisions
0%
10%
20%
30%
40%
50%
60%
70%
Historically Currently Planned
Figure 3.3 Trends in risk management
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 87/189
together with the expectation that in the future there would be a
more holistic approach to risk being used to aid decision-making.
This may be a reasonable expectation, an aspiration or it may reflect
some unease in our respondents that risk management practices in
use do not appear to connect to organisation or business problems or
contribute as much to decision-making as they consider necessary ordesirable. If the latter is so then the picture may represent a some-
what idealised picture, which may continue to exist.
Although the FTSE group saw their current approach as largely
formal compared to the other survey groups, and the SME group
reflected a lower degree of formality expected in the future, all sur-
vey groups (including CIMA) reflected a similar trend to that
shown in Figure 3.3. There was also a stronger view by CIMA
respondents that risk was considered systematically and used indecision-making than that of FTSE who see it as largely tacit. There
was a similarity in the expected shift by both CIMA and FTSE
respondents from divergent positions historically and currently to
a consistent planned approach in which risk is systematically con-
sidered rather than tacit and largely used to aid decision-making.
Risk management methods
We separated the risk management methods used into two cate-
gories: basic and technical. These are shown in Table 3.13.
The usage rates of these risk management methods are shown in
Table 3.14 (Appendix 2 contains expanded statistics for this table).
Table 3.3 showed that the only correlations of the external environ-
mental uncertainty were with the Effectiveness of technical methods
for the whole sample (0.14*) and the CIMA subsample (0.14*).
However, environmental uncertainty correlated with theEffectiveness of technical methods (0.454**) for the FTSE subsample.
The methods in highest use were the more subjective ones (partic-
ularly experience), with quantitative methods used least of all.
There was also significant reliance on external advisers. This rein-
forces the conjecture that heuristic mechanisms may be more
important for risk management than systematic mechanisms.
The degree to which these methods were observed to be effective
in helping respondents’ organisations to manage risk was highly
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
58
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 88/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
59
Table 3.13 Categories of risk management methods
Basic methods of risk management Technical methods of risk management
◆ Brainstorming, scenario ◆ Stochastic modelling, statistical
analysis, PEST/SWOT analysis analysis
◆ Interviews, surveys, ◆ Risk management softwarequestionnaires
◆ Likelihood/consequences matrix
◆ Monitoring using a risk register
or written reports
Table 3.14 Usage rate of risk management methods
*Mean Std dev.
Total sample
Usage rate of basic methods 2.76 0.87
Usage rate of technical methods 1.91 0.99
Use of experience, intuition, hindsight,
judgement to management risk 3.89 0.89
Use of auditors or external consultants to management risk 2.91 1.23
CIMAUsage rate of basic methods 2.72 0.89
Usage rate of technical methods 2.02 1.03
Use of experience, intuition, hindsight,
judgement to management risk 3.87 0.86
Use of auditors or external consultants to management risk 2.99 1.28
FTSE
Usage rate of basic methods 2.83 0.84
Usage rate of technical methods 3.04 0.78
Use of experience, intuition, hindsight, judgement to management risk 3.92 1.00
Use of auditors or external consultants to management risk 2.63 1.01
SME
Usage rate of basic methods 2.90 0.81
Usage rate of technical methods 2.70 0.85
Use of experience, intuition, hindsight,
judgement to management risk 3.95 0.95
Use of auditors or external consultants to management risk 2.78 1.19
* 1 = low; 5 = high. Std dev.: standard deviation
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 89/189
correlated with the degree of use, as might be expected. If a method
was not perceived as effective it was unlikely to continue in use.
An exception was that there was less confidence in experience,
intuition, hindsight and judgement with only 48 per cent of
respondents believing that these were the most effective methods,
compared with the 70 per cent of respondents who used thatmethod.
Table 3.3 (total sample) reveals that there were strong relationships
between supporting processes and culture and the usage of basic
and technical methods of risk management, risks being factored
into plans and improved performance and external relationships.
However, a higher proportion of FTSE and SME respondents
believed that risk management in their organisations was handled
through a formal control system, reinforcing the suggestion that
CIMA respondents may have had less confidence than other respon-
dents in the use of control systems for risk management purposes.
Involvement of accountants in risk management
Those reported to be primarily accountable for the processes of
identifying risk, analysing and assessing risk, deciding on risk
management action, and reporting and monitoring risk are shownin Table 3.15.
Deciding on risk management action was predominantly the con-
cern of the chief executive and the board. Finance directors had a
major role in analysing and assessing, and reporting and monitor-
ing risk. The finance director was identified with more aspects of
risk management than any other role, suggesting that they may
have a pivotal role in risk management. The responses reveal that
line managers were mostly concerned with identifying risk,
analysing and reporting on risk.
Management accountants were scored lower than internal audit
and risk managers on the identification of risk. They were equal
with internal auditors but lower than risk managers on analysing
and assessing risk. They were lower than internal auditors and risk
managers in deciding on risk management action and only scored
slightly higher than internal auditors in reporting and monitoring
risk.
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
60
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 90/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
61
The extent to which management accounting and risk management
were reported to be integrated in organisations is given in Table3.16 (Appendix 2 contains expanded statistics for this table).
CIMA respondents were also asked whether, in terms of risk man-
agement, their level of involvement of management accounting
was sufficient. The results are shown in Table 3.17.
There was little reported integration between management account-
ing and risk management, and management accountants in the
overwhelming majority of organisations were being marginalised in
relation to risk management. While CIMA respondents feel that
Table 3.15 Job title primarily accountable for risk management
Identifying Analysing Deciding on Reporting
risks assessing risk monitoring
risks management risk
action
Count % Count % Count % Count %
CEO/managing 83 15 44 9 121 25 33 7
director
Board/audit 65 12 59 12 126 26 57 12
committee
Director of finance 72 13 87 18 97 20 86 19
Internal audit 55 10 63 13 23 5 60 13
Risk manager 70 13 79 16 42 9 76 16
Management 45 8 63 13 12 2 63 14
accountant
Line managers 155 28 87 18 64 13 86 19
Total count 545 100 482 100 485 100 461 100
Table 3.16 Integration of organisational management
accounting and risk management functions
*Mean Std dev.
Total sample 2.81 0.97
CIMA 2.81 0.97
* 1 = strongly disagree; 5 = strongly agree. Std dev.: standard deviation
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 91/189
management accountants should have more involvement in risk
management, this was not a view shared by other respondents.
Perceived consequences of risk management
The reported degrees of improvement brought about as a conse-
quence of risk management are shown in Table 3.18 (Appendix 2
contains expanded statistics for this table).
Responses were fairly evenly spread, although more respondents
believed there had been no improvement in relations with share-
holders and suppliers, while management reporting and reputation
had improved the most.
The extent to which various choices were made in risk manage-
ment and the reported effectiveness of those choices is shown in
Tables 3.19 and 3.20 (Appendix 2 contains expanded statistics for
these tables).
Modes of risk management
Although all methods were in high use, management action to
decrease the likelihood of risk was given the highest ranking. The
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
62
Table 3.17 The level of involvement of management accounting in the
organisation’s risk management
Insufficient About right Too involved No view
(%) (%) (%) (%)
Total sample 37 57 2 4CIMA 37 57 2 4
FTSE 10 80 6 4
SME 20 76 2 2
Increasing Not changing Decreasing No view
(%) (%) (%) (%)
Total sample 42 50 3 5
CIMA 43 48 4 5
FTSE 33 61 0 7
SME 47 50 0 3
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 92/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
63
Table 3.18 Consequences of risk management
*Mean Std dev.
Total sample
RM has improved corporate planning 2.85 0.91
RM has improved resource allocation and utilisation 2.83 0.96RM has improved management reporting 3.05 1.02
RM has improved communication within the organisation 2.77 1.02
RM has improved relationships with shareholders 2.34 1.08
RM has improved relationships with customers/clients 2.70 1.01
RM has improved relationships with suppliers 2.44 1.02
RM has improved management of organisational change 2.91 0.99
RM has improved reputation 2.92 1.08
RM has improved recognition and uptake of opportunities 2.88 1.02
RM has improved employee confidence in carrying out their duties 2.69 0.99CIMA
RM has improved corporate planning 2.78 0.92
RM has improved resource allocation and utilisation 2.81 0.96
RM has improved management reporting 2.94 1.02
RM has improved communication within the organisation 2.68 1.01
RM has improved relationships with shareholders 2.36 1.08
RM has improved relationships with customers/clients 2.70 1.01
RM has improved relationships with suppliers 2.46 1.02
RM has improved management of organisational change 2.83 1.00RM has improved reputation 2.86 1.06
RM has improved recognition and uptake of opportunities 2.85 1.00
RM has improved employee confidence in carrying out their duties 2.64 1.01
FTSE
RM has improved corporate planning 3.04 0.83
RM has improved resource allocation and utilisation 2.84 0.98
RM has improved management reporting 3.22 1.06
RM has improved communication within the organisation 2.73 1.02
RM has improved relationships with shareholders 2.32 1.12RM has improved relationships with customers/clients 2.50 1.07
RM has improved relationships with suppliers 2.26 1.07
RM has improved management of organisational change 3.00 0.99
RM has improved reputation 2.82 1.10
RM has improved recognition and uptake of opportunities 2.82 1.12
RM has improved employee confidence in carrying out their duties 2.64 0.85
SME
RM has improved corporate planning 2.95 0.93
RM has improved resource allocation and utilisation 2.90 0.93
(Continued)
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 93/189
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
64
Table 3.18 (Continued )
*Mean Std dev.
RM has improved management reporting 3.48 0.88
RM has improved communication within the organisation 3.30 0.99
RM has improved relationships with shareholders 2.26 1.00RM has improved relationships with customers/clients 2.98 0.95
RM has improved relationships with suppliers 2.55 0.93
RM has improved management of organisational change 3.25 0.84
RM has improved reputation 3.35 1.05
RM has improved recognition and uptake of opportunities 3.15 1.03
RM has improved employee confidence in carrying out their duties 3.05 0.96
* 1 = no improvement; 5 = significant improvement. Std dev.: standard deviation
Table 3.19 Risk management options employed
*Mean Std dev.
Total sample
Transferring the risk using insurance, hedging, contracts,
joint ventures or partnerships, etc. 3.09 1.25
Decreasing the likelihood of risk through management action 3.61 0.93
Decreasing adverse consequences of risk using contingency,
business continuity plans, etc. 3.25 1.02CIMA
Transferring the risk using insurance, hedging, contracts,
joint ventures or partnerships, etc. 2.98 1.29
Decreasing the likelihood of risk through management action 3.53 0.96
Decreasing adverse consequences of risk using contingency,
business continuity plans, etc. 3.20 1.07
FTSE
Transferring the risk using insurance, hedging, contracts,
joint ventures or partnerships, etc. 3.66 1.02Decreasing the likelihood of risk through management action 3.90 0.76
Decreasing adverse consequences of risk using contingency,
business continuity plans, etc. 3.46 0.86
SME
Transferring the risk using insurance, hedging, contracts,
joint ventures or partnerships, etc. 3.05 1.07
Decreasing the likelihood of risk through management action 3.76 0.83
Decreasing adverse consequences of risk using contingency,
business continuity plans, etc. 3.24 0.83
* 1 = low; 5 = high. Std dev.: standard deviation
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 94/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
65
responses imply that traditional methods of managing risk through
transfer (insurance, hedging, etc.) were still seen as more effectivethan more proactive risk management processes.
CIMA responses were slightly more sceptical about the benefits to
corporate planning, management reporting and the management of
organisational change but were more convinced than FTSE (but
less than SME) of the improvements in relationships with cus-
tomers/clients and of employee confidence in carrying out their
duties. FTSE was slightly higher in their belief that relationships
with shareholders had improved.
Costs and benefits of risk management
The extent to which respondents agreed that risk management
practices had delivered benefits that exceeded the cost of the prac-
tices is shown in Table 3.21.
While risk management was perceived to be costlier than the bene-
fits by a tenth of respondents, 50 per cent believe the benefits exceed
the costs. Given the major publicity and governance requirements,
Table 3.20 Perceived effectiveness of risk management approaches
*Mean Std dev.
Total sample
Effectiveness of transferring risk 3.08 1.22
Effectiveness of decreasing the likelihood of risk 3.48 0.94Effectiveness of decreasing adverse consequences 3.14 1.02
CIMA
Effectiveness of transferring risk 3.00 1.26
Effectiveness of decreasing the likelihood of risk 3.41 0.93
Effectiveness of decreasing adverse consequences 3.09 1.05
FTSE
Effectiveness of transferring risk 3.45 1.12
Effectiveness of decreasing the likelihood of risk 3.84 0.87
Effectiveness of decreasing adverse consequences 3.42 0.91SME
Effectiveness of transferring risk 3.10 1.03
Effectiveness of decreasing the likelihood of risk 3.50 0.99
Effectiveness of decreasing adverse consequences 3.13 0.97
* 1 = low; 5 = high. Std dev.: standard deviation
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 95/189
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
66
this suggests that risk management may be substantially seen as a
(costly) compliance exercise. However, half of the respondents
reported that the benefits exceeded the costs which, taken together
with the heuristic processes dominating the systematic processes,
might imply that the costs of risk management differs widely across
the respondents’ organisations.
Risk stance
Using the ideal types applied to risk management developed in
Figure 1.1 and based on the work of Douglas and Wildavsky (1983)
and Adams (1995), we categorised the response about risk man-agement in the respondent’s organisation being about positive/neg-
ative consequences in Figure 3.4.
The correlations above were calculated for each group of organisa-
tions in the four stances. These differences, although not great, do
lend support to the distinction between fatalists (or risk sceptical),
hierarchists, individualists, and egalitarians (or risk aware). We
therefore considered that the risk stance of managers did influence
the risk management practices in use.
Regression analysis
The strong correlations and differences reported in the grouped vari-
ables between the types of respondents and their risk stances sug-
gested that the working hypothesis that risk management leads to
improvement could be further explored. First, the hypothesis was
examined using linear regression expressing improved performance
as a function of the other group variables for all of the data set.
Table 3.21 RM practices have delivered benefits that
exceed the costs of those practices
*Mean Std dev.
Total sample 3.45 0.81
CIMA 3.41 0.81FTSE 3.56 0.93
SME 3.58 0.64
* 1 = strongly disagree; 5 = strongly agree. Std dev.: standarddeviation
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 96/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
67
The variables Effectiveness of basic methods and Effectiveness of
technical methods were not included in the regressions because of
their almost universal high correlations with their usage variables.
The regression equations with all of the variables were found to
produce high adjusted R squared, but the statistical significance of
the variable coefficients were low. The variables relating the degreeof uncertainty of the external environment, stakeholder involve-
ment and the effectiveness of technical methods always had coeffi-
cients with less then 0.05 significance levels. This pattern followed
the pattern of statistical significance of the correlation matrix.
The regression equations for the whole data set are shown in Table
3.22, with the regression equation coefficients, adjusted R squared,
Anova and significance levels shown. The best (in terms of signif-
icance levels of the estimators) regression for all the data includedthe usage variables: Use of basic methods (having a negative coef-
ficient), the Effectiveness of basic methods, Use of technical meth-
ods, and the two process variables: Supporting policies and
culture; and Risk factored into plans.
The Effectiveness of basic methods was then removed from the
regression for all the data to test the shift in adjusted R squared.
There was little effect (Table 3.22), but the Use of basic methods
was not significant. Removing the Use of basic methods variable
from the regression then gave a three variable equation with high
statistical significance to the variable coefficients and an R squared
of 0.44. The equation has surprisingly strong predictive power. It
also provides some support for the findings from the case studies
that how risk is taken into the processes of planning may be more
important than the actual methods used.
The exploration of the regression for the four identified risk stance
sets of data is given in Table 3.23. The regression equations were
RM is about achieving positive consequences in my
organisation
Disagree Neutral Agree
Disagree
Neutral
Risk sceptical
7%Entrepreneurs 14%RM is about avoiding
negative consequences in my
organisation AgreeHierarchists
36%
Risk aware
43%
Figure 3.4 Classification of risk management responses by risk stance
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 97/189
Risk and Managemen 6 8
Table 3.22 Improved performance: linear regressions for group variables
Category Constant Use of basic Effectiveness Use of Supporting Risk fa
methods of basic technical policies and into p
methods methods culture
All data 3.61* -0.452*** 0.654*** 0.479*** 0.381*** 0.417*
3.37* 0.174 0.456** 0.364*** 0.460*
3.72* 0.569*** 0.405*** 0.463*
Risk sceptical -5.06 -0.244 0.466 0.683* 0.799
-5.44 0.670* 0.792*
Hierarchist -0.613 0.369** 0.693** 0.371*** 0.418*
Entrepreneur 16.4** 0.143 0.852 0.083 0.261
18.4*** 1.030* 0.317
Risk aware 7.6** 0.015 0.314 0.337*** 0.442*
7.43** 0.382*** 0.466*
Significance levels: * 0.05, **0.01, *** 0.001. Blank indicates that variable was not included.
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 98/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
69
stronger predictors (higher R squared) when the risk stance was not
about exploiting opportunities – hierarchist and risk sceptical. It was
best fitted to the model for the hierarchist case, with the regression
including the two usage variables and the two process variables and
a high adjusted R squared of 0.54. When risk stance was entrepre-neur, about exploiting opportunities, then only one variable appeared
(Use of technical methods), but the adjusted R squared was low at
0.20. For the risk aware case only two variables entered the regres-
sion, both were process oriented, with an adjusted R squared of 0.36.
These results suggest that risk stance was a significant moderating
influence on methods of risk management and these then led to
reported improved performance of these firms. The two process
variables – Supporting policies and culture, and Risk factored intoplans – were clearly of great interest. From the questionnaire design,
it is difficult to state with confidence that the significance and full
meaning of these have been captured. It suggests that our respondents,
while able to answer the questions asked, were also aware of different
kinds of processes in which risk was being managed. Perhaps the ini-
tial hypothesis and the variables chosen were more closely related to
risk management from the stance of the idea of risk as being not about
opportunity but being about protection for that was where the modelhad its best fit. This observation implies that risk management is
mostly conceived of as fitting a hierarchist stance in respect of meth-
ods and a process stance in respect of the risk aware firms.
Risk management and financial market risk
It was open to the respondents to identify themselves or their
organisations as they thought appropriate. From the 333 responses
it was possible to draw a further smaller sample of identified
Table 3.23 Risk stance: predictor variables and adjusted R squared
Degree to which risk is about protection
Degree to which risk is Risk sceptical Hierarchist
about exploiting 2 process variables 0.56 2 usage variables
opportunities 2 process variables 0.54Entrepreneur Risk aware
1 usage variable 0.20 2 process variables 0.36
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 99/189
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
70
quoted companies (n=41). From the respondents’ voluntary disclo-
sure of their organisation it was possible to explore the degree to
which reported risk management practices were related to capital
market views of these organisations to see whether risk manage-
ment practices increased, was neutral to or decreased beta, alpha
and volatility. The results are shown in Table 3.24.
The sample value of beta 0.98 indicates that the sample of 41 com-
panies was close to a reasonable sample of the market. Also the
volatility in each class was very similar. Interestingly, the alpha value
for the hierarchist group was the highest, perhaps suggesting that
given risk stance, then risk protection might provide higher perform-
ance. Further, it was found that the beta values correlated at 0.393 (P=0.011) with the variable Change in uncertainty and correlated at
[m]0.558 (P=0.01) with the variable Risks factored into plans.
The regression equations of improved performance from this small
sample were similar to the earlier equations for the whole sample,
with an adjusted R squared of 0.57. The regression included the
same four variables but the coefficient of the Use of basic methods
was negative.
Hence, it may be observed that there is an indication that the market
beta for the risk aware group was lower than that for the other
groups. A Chi-squared test on the four stances revealed that, because
of the small numbers in each cell, the differences between the val-
ues in the four cells were not statistically significant. However, col-
lapsing the data into two sets, risk aware and all others, gave
differences in beta which were not significant at the 0.05 level.
The implication of these observations is that the risk aware stance,
in attending to both protection and to opportunity, may affect
Table 3.24 Mean values of risk measures in relation to risk
stance
Stance Beta Alpha Volatility
Total 0.98 0.0022 28.72
Risk sceptical 1.16 0.0002 20.67Hierarchist 1.06 0.004 27.10
Entrepreneur 1.14 0.0006 40.32
Risk aware 0.82 0.002 25.72
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 100/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
71
organisations through the capital markets award of a lower beta,
and hence a higher market value. Here it may be inferred that the
requirements of corporate governance do not necessarily have to
work in opposition to economic rationales of risk as opportunity
and adventure. Given the small sample, this observation should be
treated as indicative rather than definitive and this part of thestudy needs to be replicated on a much larger scale. However, these
indications offer a somewhat tantalising glimpse of the possible
inter-relationship of market, cultural, economic and governance
rationales for risk management.
Summary of main survey findings
Contrary to expectations that risk management practices vary between organisations as a result of their size or industry sector,
there was little evidence of any contingent explanations for risk
management based on either size or business sector. Similarly, if
somewhat surprisingly, respondents’ perceptions of the environ-
mental uncertainty and risk facing their organisations did not
appear to influence basic risk management practices in those
organisations, but did, in the case of the FTSE companies, influ-
ence the use of technical methods.However, perhaps reinforcing traditional stereotypes, CIMA
respondents were more risk-concerned than the other respondent
groups in relation to their organisations, despite having a lower
perception of the competitive intensity and uncertainty in their
industry/sector.
The survey results suggested that risk management was driven by an
institutional response to calls for improved corporate governance
which may reflect both protection and economic opportunity. The
external drivers of risk management practices, rather than competi-
tive intensity, risk or uncertainty, were observed to be external stake-
holders and the demands of regulators and legislation, enacted
through boards of directors, which were likely to exert influence
over the policies and methods adopted for risk management.
However, the trends in risk management were reported to have
shifted from being considered tacitly to being considered more for-
mally and the survey results reflected the respondents’ expectation
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 101/189
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
72
that this trend will shift markedly to a more holistic approach with
risk management being used to aid decision-making.
Risk was seen on an individual level as much about achieving pos-
itive consequences as avoiding negative ones. However, organisa-
tional risk management was reported to be more about avoiding
negative consequences.
The survey found that the methods for risk management that were
in highest use were the more subjective ones (particularly experi-
ence), with quantitative methods used least of all, a result which
replicates many studies. There was also significant reliance on
external advisers. These results suggested a heuristic method of
risk management is at work in contrast to the systems-based
approach that is associated with risk management in much profes-
sional training and in the professional literature.
The reliance on formal accounting-based controls was also called
into question. Importantly, CIMA respondents were less confident
in the formal control systems that existed in their organisations,
suggesting that the professional knowledge of accountants accom-
modates an understanding of the limits of accounting information,
a knowledge not shared by non-accountants.
This research has some significant and important implications forthe role of accountants. The responses reveal that line managers
were mostly concerned with identifying risk, analysing and report-
ing on risk. Finance directors had a major role in analysing and
assessing, and reporting and monitoring risk. Deciding on risk
management action was predominantly the concern of the chief
executive and the board. Management accountants were scored
lower than internal audit and risk managers on the identification of
risk. The finance director was identified with more aspects of riskmanagement than any other role, suggesting that they probably
have a pivotal role in risk management.
There was little reported integration between management account-
ing and risk management. Further, management accountants in the
overwhelming majority of organisations were being marginalised in
relation to risk management. While CIMA respondents consider
that management accountants should have more involvement in
risk management, this was not a view shared by other respondents.
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 102/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
73
Given the major role of public visibility of governance require-
ments, risk management may be seen largely as a compliance exer-
cise. However, half of the respondents reported that the benefits
exceeded the costs, with 40 per cent reporting that benefits and
costs were neutral. Perhaps unsurprisingly, from a risk averse
standpoint, management action to decrease the likelihood of riskwas given the highest ranking, rather than action to achieve organ-
isational objectives. The survey responses implied that traditional
methods of managing risk through transfer (insurance, hedging,
etc.) were still seen as more effective than more proactive risk
management processes.
In relation to financial market risk, the implication of our regres-
sion analysis is that the risk aware stance, in attending to both pro-
tection and to opportunity, does create organisations to which thecapital markets award a lower beta, and hence a higher value. This
led us to infer that the requirements of corporate governance do not
necessarily have to work in opposition to economic rationales of
risk as opportunity and adventure. However, given the small sam-
ples, this observation is indicative only and would need to be repli-
cated on a larger scale.
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 103/189
74
This page intentionally left blank
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 104/189
4Interview data
75
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 105/189
76
This page intentionally left blank
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 106/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
77
To help us to interpret some of the findings in the analysis of our
survey results, we conducted interviews with 14 members of
organizations who had indicated in their survey questionnaires
that they were prepared to be interviewed. Ten were interviewed
face to face and four by telephone. The interviews were based on
semi-structured, open questions in order not to lead the respon-dents. Transcripts of the interviews were made for later analysis.
This section is based upon excerpts from these interviews, in order
to explore the key issues emerging from the survey.
The traditional approach to risk management
Four organizations we interviewed perhaps best describe the tradi-
tional approach to risk management.
We spoke to the commercial director of the conference organizing
subsidiary of a multinational NASDAQ-listed advertising group
who described risk in his organization.
Risk is the ability to meet annual sales, gross profit and net profit
forecasts. But there is a gap between the actual committed busi-
ness on the books and the forecast which comes from pressure
from the analysts to achieve a particular share price, hence our
parent is now a takeover target.
The business risk is not only having insufficient business, but
winning business that stretches the available resources as events
may have to be staged at the same time to meet client demands.
We are only as good as our last event. This lies with our project
directors at the point of delivery. Any difference of opinion with
the client has the potential to be our last event. The risk of having
a single point of contact in a client is that if that person moves onit is more of a risk than an opportunity.
Risk is not an agenda item on management meetings, even
though the business aspires to double in size over the next three
years.
The risk is that we can either win business then recruit up, or
recruit in anticipation of winning business. We default to the
more conservative.
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 107/189
The business is conservative. The group’s key performance meas-
ures are based on tight control of overheads and margins. This
means we are less likely to take considered or managed risk,
although this is sometimes betrayed by particular clients or projects.
An account director for the same organization added:
I think it will change. We are following the US with litigation.
There is more pressure to demonstrate the ability to manage risk,
especially where we are working in public spaces.
The general manager and supply chain director for an aerospace
division of a management buyout funded by institutional investors
replied:
There is no structured approach to identify risks. There is an
annual budget, a quarterly board review and a monthly rollingforecast. I consider risk as part of forecasting. The finance direc-
tor keeps contingencies and provisions to manage the financial
risk. There is a large burden of interest charges as a result of the
institutional buy-out. We are caught between big suppliers and
big customers. If we don’t pay the supplier stops credit, but we
don’t stop the customer’s credit when they don’t pay on time.
If we introduce new parts there is project management, and risk
management takes place through failure mode and effect analysis(FMEA).
Risks are not well understood in this company.
We are totally reactive. We are obsessed with day-to-day produc-
tion. We are starting to look at preventive maintenance but we
need headroom and resources to do that.
Two examples served to illustrate this reactivity.
We had a 12 000 tonne press that was the largest in Europe, hav-
ing been bought 50 years previously. A 25 tonne piece of steel
cracked. The risk of this happening was low, it had been there for
20 years with no problem. It could be argued that we should have
had a spare or a routine inspection programme but we hadn’t got
that level of detail. The result was that the press was down for a
week and we lost a quarter of the month’s production and delays
to projects, which in aerospace can be critical. But the mean time
between failures was 20 years.
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
78
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 108/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
79
We have had 3 fires in the 14 months I have been here. There was
old wiring and our risk management was that the site is next to a
fire station. We have since done a complete rewiring.
The third organization was a voluntary charity, where we spoke
with the vice chair, the manager and a trustee.
Risk management is not one of our strengths, we have focused on
the finance issues … We ought to be looking at policy review and
those sort of more managerial issues, and in there I would lump
risk management … If we focus slightly narrowly on definitions of
risk and how we look at that we perhaps wouldn’t get too many
marks out of ten.
Vice Chair
Our motivation was that it is actually the trustees or the board who
have responsibility if things go wrong. Before we became a com-
pany limited by guarantee, the trustees were individually liable.
Manager
If you look at a board agenda and minutes and try to find the
word risk you will struggle, but it is inherent in everything we
do. I don’t want to focus too much on finance, but if we use
finance as an example because it’s been such a big issue in the
last few months, if we looked at the performance of any one area
in financial terms, if it was starting to overspend we would veryrapidly be aware of that and would understand the risks to the
organization if we allowed that to continue … Certainly, if we
ever faced a court it would be incumbent on us to show that we
had actually thought about risk and done something about it.
Vice Chair
Organization four was a privately owned large engineering consul-
tancy with 3500 employees. It had recently appointed a risk man-
ager to address professional indemnity claims experience that hadresulted in an increase in its excess per claim from £5000 to £500 000
and an annual premium of several million pounds. The company
had also estimated the cost of project over-runs, non-productive
time, and contractual penalties as 2 per cent of its turnover. The
company had determined to increase dramatically its attention to
risk management by top management leadership, management
training, and greater attention to contractual negotiations and con-
tract monitoring.
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 109/189
Explanations for survey results
Drivers of risk management
The survey found that the main drivers of risk management were
compliance rather than competitive intensity or environmental
uncertainty and we sought to explore this issue in depth with ourinterview respondents.
Investment funds are driving the risk management agenda, ask-
ing questions of the board about the sustainability and reduction
in volatility of profits. Turnbull raised understanding of the
issue but a few were taking issue before Turnbull, although most
came after.
Chief Executive, UK association of risk managers
Stakeholders are starting to ask more questions on how you run
your business and so forth. The media is obviously another one,
so the knowledge within the market is becoming greater, therefore
there is a need for greater transparency. I believe we are develop-
ing our risk process on the need to demonstrate transparency … I
think historically risks have been hidden. Whereas if you actually
say, look at these risks I have identified, this is how I am manag-
ing it, I think people are more impressed because you’ve thought
about it, you know what is coming up, and you are putting some-
thing in place to manage it.
Group Risk Manager, FTSE company, Financial Services
The drivers were all Turnbull really, we are obliged to take it seri-
ously, so that was the driver. It’s a combination of Turnbull,
Health and Safety together with some insurance stipulations.
Finance Director, subsidiary of listed PLC
An alternative view was expressed by SMEs, whose focus was
more direct.
I think the biggest driver is profit. We are constantly looking at
how we can improve the profitability of this company and that
will throw up various things that we need to do which will, of
course, incur ever increasing risks. Whatever decision, expanding,
contracting, it still incurs risks that we have to try and deal with.
Chairman, SME, computer retail
However, business shocks also featured as an important instigator
of risk management activity.
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
80
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 110/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
81
To be honest, about 10 years ago we had a disastrous project. After
that we had to have a hard look at the way we did things. Main
board were insisting that we adopt more rigorous procedures.
That was the main driver for risk management really.
Non-executive director, SME, Contracting
The motivation for risk management is to establish best practicein corporate governance in case we need to float [on the stock
exchange] again. We did have problems recently with our funda-
mental controls when senior managers were looking at takeovers
and refinancing and took their eye off the ball.
Group audit manager of an unquoted retail company with
around 500 retail stores, a CIMA member, with
responsibility for risk management, referring to high
profile news stories a year or two earlier
But there was one respondent who, perhaps, was more honest than
he needed to be. The same group audit manager described in detail
for us the role of the risk management committee, the brainstorm-
ing of ‘risk drivers’, the production of a risk register, determining
controls and the effectiveness of controls, visual risk maps that
show both the probability and severity of risk (quantified in mon-
etary terms), and the separation and reporting of gross risk (before
implementation of controls) and net or residual risk (the risk
remaining after controls are implemented). However, at the end of
the interview, almost as an afterthought, he added:
This looks great on paper, it gives confidence to external audit
and the audit committee. There should be business benefits, but
as it is, it is important. It is a political tool.
Group audit manager of an unquoted retail company,
with responsibility for risk management
The survey results suggested that the competitive environment didnot seem to have much impact as a driver of risk management.
Only a few respondents commented on this.
I think in the present climate that is probably true, although it is
starting to change. Turnbull has been a driver to actually put it
on the agenda. This year I have met with three FTSE 100
Chairmen and two FTSE 100 CEOs to talk about risk manage-
ment. The broad impression I have got from them is that risk
management is moving from a box-ticking exercise and the board
is beginning to see the value of it, although it varies considerably
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 111/189
within organisations. So it is beginning to change by adding
some business value, but it is certainly driven by compliance.
Vice President, European federation of
risk management associations
The SME view was again focused on more immediate concerns.
The problem I am faced with right now is increasing competition
and diminishing margins, which is a big risk and threat … I’ve got
to find ways of running with less sales people, doing more business
and again it comes back to software and information that allows me
to find out as much information as I can about our customers.
Chairman, SME, computer retail
Trends in risk management
The trends in risk management that the survey identified revealed
a marked shift from the historic tacit consideration of risk to the
current systematic approach driven by the need for compliance
(which respondents repeatedly referred to as the ‘tick-box’
approach) and the suggestion that, in future, risk would be consid-
ered and used to make decisions (which again, was typically
referred to by respondents as risk being ‘culturally embedded’). We
asked our respondents for their views on this shift.
The tick-box and procedures help identify the risks which are
brought to us and facilitate our ability to decide how we are going
to manage them.
Non-executive director, SME, Contracting
Moving beyond the tick-box approach is certainly a goal of the
organisation … We focus in on the top 10 risks, we don’t just tick
a box and think that we’ve got the procedures in place therefore
we are risk free. It’s identifying and ranking these in terms of importance … the move from tick box to value adding is very
much driven by guidance given by our parent company.
Finance director, subsidiary of listed PLC
The key issue is to actually do a few things that demonstrate some
value from that exercise. Now most business managers are natu-
rally focused on personal rewards and so on their business plan.
When you ask them to explain their strategy and start asking ques-
tions like ‘What’s going to knock that off course?’ they don’t under-
stand the question. They say ‘We’ve got it all planned, we’ve
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
82
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 112/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
83
looked at the sensitivities’. Most people do the sensitivity around a
plan quite well, but it doesn’t take care of the real risks. Once they
see that, they start thinking outside the box and suddenly they can
see some value because they can see that there are potential issues
that will actually knock their plan off course [and impact their
personal rewards]. What they can see from risk management is a
means of trying to limit the area of unpredictability.
Vice President, European federation of
risk management associations
My belief is that there is a strong desire, certainly in my busi-
ness, not just to have it as a box-ticking exercise – a very strong
desire – but there is the clear recognition that it can be a box-
ticking exercise and that perhaps other people, although I
suspect less these days, are looking at it like that. There is a
strong desire to get business value out of what we do andtherefore one of the biggest challenges for me and my colleagues
is to make sure what we do is of a non-bureaucratic, non-admin-
istratively rich environment, but that is certainly meeting the
Code, because philosophically we do agree with the requirement
and need for stronger governance structures, but we take the
opportunity to strengthen the business in doing this.
Risk manager, telecommunications PLC with
UK and US listing
Effectiveness of methods
The introduction of more sophisticated risk management tech-
niques would, we had assumed, naturally follow from a compli-
ance-focus. However, this was not the case in the survey results.
Even for FTSE respondents, only about half believed that the more
technical or sophisticated methods of risk management were not
particularly effective.I think that’s probably true. Keep it simple is the easiest approach.
It’s the most effective in terms of getting people locked into it
because, if you come up with a complicated, complex process, it’s
yet another thing for people to learn and understand. The danger
is it really tends to then continue the silo mentality of doing lots
of things in business. It creates another silo of information and
analysis. If it’s simple, then you can embed it in the process.
Vice President, European federation of
risk management associations
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 113/189
I agree that it should definitely be intuition and experience. I sup-
pose sprinkled over with a bit of objectivity, which is where the
accountant comes. I don’t think using software is the answer, I
think you would be going back to a box-ticking exercise.
Finance Director, subsidiary of listed PLC
It is very difficult to get a solid database on which to start doingquantitative analysis you know, the world changes and all the fac-
tors change, so it is very difficult to start putting figures on. I think
intuitive at the moment is certainly the move we’re making … I
think it’s very intuitive, in that you learn as you go along and the
only way you can do that is on past experience and therefore the
more experience you can tap into, the better your intuition can
become … There is a use for impact/probability because it enables
you to provide a pictorial representation of where you think the
risks are. Now, if you are looking at busy directors, if you givethem that one page pictorial view, it focuses their minds. Then
you get more time to discuss the risks, rather than giving them
reams of paper.
Group Risk Manager, FTSE company, Financial Services
However, it was recognised that while sophisticated methods of
risk management were used, these were evident at lower organisa-
tional levels, rather than at corporate level, where the methods
were subjective, based on experience and intuition (in our surveyresults we classified these as basic).
We use sophisticated methods, but not on every job. When there
is potentially a high risk, and we need better quantification we
will employ a more sophisticated and analytical approach. We
will write down risks and make an assessment of each risk using
statistical analysis. Of course, this is still only a guide for a deci-
sion that will rely on experience and intuition as well.
Non-executive director, SME, Contracting
Most of the more sophisticated methods, although that is not
quite the right word, have specialist uses which are valuable if
applied in the right place, but don’t tend to carry value in my
view if you try and use them across a whole business. What I do
and have done in previous organizations and which is well
accepted by boards and is mostly seen as adding value can be
described as the more touchy feely. It is around workshops, it’s
around risk assessment, it’s around simple risk mapping and
simple summaries of risk mitigation and actions out of that.That becomes a continuous process of looking at that type of
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
84
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 114/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
85
thing in a simple, quick, normal management – as much as pos-
sible – style of doing things. Now that’s not to say that those
types of much more sophisticated techniques don’t have their
place – I believe that they often do – but they need to be used
and valued in a much more focused environment, not business-
wide.
Risk manager, telecommunications PLC
with UK and US listing
Even those who used apparently objective techniques were dubi-
ous about their reliability. One respondent demonstrated the
subjectivity of figures that were the result of extensive analysis:
Our risk map reports show that the value of the recommendations
made by our risk management committee is about £268 million.
This is how much the business would be better off by imple-menting those recommendations, although the real figure is prob-
ably only half of this.
Group audit manager of an unquoted retail company,
with responsibility for risk management
The complexity of business and the environment in which it oper-
ates was a key theme for our respondents.
Our risk management processes are based on experience and to a
certain extent gut feel … if you go the complex route with all sortsof statistical analysis then to a certain extent, what are you adding
to the business? The business knows what it is trying to achieve
and it’s the risks it is wanting to look at, not necessarily all of the
analysis that goes with it.
Group Risk Manager, FTSE company, who also acknowledged
that they were waiting to see what the Financial
Services Authority expected of them
Involvement of management accountants in risk management
We were, of course, particularly interested in the role of manage-
ment accountants, particularly when our survey highlighted that
while management accountants wanted to become more involved
in risk management, other organizational members did not share
that view.
We asked a management accountant about this. The interview com-
menced with the management accountant saying he did not con-tribute much to risk management. But as the interview progressed,
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 115/189
it became clear that much of what he did was risk management, he
just had not realised it.
The risk to the editor is that he would not get sufficient money to
develop his circulation target contained in the five-year strategy.
For example, the new [named] section was based on attracting
half a million readers, but this was based on the editor’s gut feel.The accountant qualifies this in a mini-business plan … I trans-
form the editor’s gut feeling to numbers on a piece of paper.
Management accountant, broadsheet newspaper,
part of multinational group
Primarily, however, we explored this with the non-accountants.
The accountant has an operational risk to perform and they
have their own set of risks … I think they have got quite a piv-
otal role, in terms of analysis and modelling, of where we are
going and I am bringing actuaries into that category as well in
terms of helping to quantify and assess the impact of risk … in
developing the sort of formulae that are required to make
assessments.
Group Risk Manager, FTSE company,
Financial Services
I don’t think the management accountant has any more responsi-
bility than say a production director, a commercial services direc-tor or whatever. I think in practice it’s one of those legislative
requirements that tend to get dumped on accountants.
Finance Director, subsidiary of listed PLC
The predominant view was that accountants should be in support-
ive rather than a leading role in relation to risk management. It was
generally agreed that management accountants had an important
role to play, but this was largely concerned with producing analy-
ses of impact of risks to support risk managers.
Accountants are good at identifying qualitative issues. They carry
weight because they can argue that there is a limit to numeracy. It
is a challenge for the profession as only a small number of people
are comfortable with change and the entrepreneurial ethos. The
financial manager is often the risk manager for the organization.
The risk manager may have the ear of the board, but the finance
director sits on the board. Actuaries have been invisible in risk
management.
Chief Executive, UK association of risk managers
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
86
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 116/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
87
Management accountants are the owners of the business
processes such as the budget pack, the strategy pack, long-term
business plans etc., which tend to come out of corporate with all
the relevant templates. There is a very strong role for them to be
involved and work closely with the risk manager, so that the risk
manager can embed the risk management thinking into all those
processes … Where management accountants can I think be use-
ful support is in assisting risk management. The impact aspect
sometimes might get quite detailed. You might want to try and
come up with a rough number for the impact on the business and
clearly they are the guys with some good expertise. But I would-
n’t see management accountants driving this, simply because it
will become a number crunching exercise and will be viewed as
that – whether or not it is – it will still be viewed as that. And
management accountants don’t have the skill set to drive risk
management because it’s about cultural change, not about bang-
ing out a new process … the skill set for changing a culture is
probably quite different to the skill set for the management
accountant. It’s a lot more about influencing, changing people’s
thinking on all those aspects of change management. Now maybe
that is part of their skill set, I don’t know, but from the people
I’ve met I suspect not.
Vice President, European federation of risk
management associations
At one end of the spectrum you have the pure downside risks of
the more or less traditional insurance kind of areas. At the other
end of the spectrum you have got really what is all around risk
and opportunity … the big decision about going into a new terri-
tory, a merger, a new product etc. – the really big ones – they are
going to be very risk oriented decisions which will still not be
very analysable because that’s the very nature of entrepreneurship
where you have to have a risk management framework, but it’s
about decision making … But there’s a whole big raft in the mid-dle between those two extremes, where you can use particular
analysis tools, where particularly your management accountants
have a key role in looking at different outcomes and different
modelling and those type of issues.
Risk manager, telecommunications
PLC with UK and US listing
However, respondents did emphasise the distinction between the
role of the management accountant and finance director, which
had been hinted at in our survey responses.
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 117/189
I’ve got a financial controller and he looks primarily after the day-
to-day number crunching and producing the management reports.
I’ve also got a finance director above him … he has to understand
all the aspects of the business as much as possible and then be
able to interpret the financial information and be able to advise on
what risks we face … he acts as a counter balance to my partner
and I who are predominantly from a sales background, who are
traditionally very optimistic and bullish about the way forward.
Chairman, SME, computer retail
The finance director sits on the risk management committee and
he brings his own perspective and we employ a number of man-
agement accountants who work alongside the project managers
and obviously play a part in their area of expertise, financial risks
and so forth. They usually have a view and bring an edge to the
thing, which makes sure the financial considerations are beingproperly taken into account.
Non-executive director, SME, Contracting
The effectiveness of risk management
Some respondents were open about the effectiveness of the
processes in place.
Being honest, we don’t have a formal risk plan in place at themoment … We do review risks to the business formally every six
months to be consistent with the Turnbull recommendation … we
are obliged to do it in all honesty, but we like to think that it
would help us drive our performance and ensure that risks don’t
overtake any opportunities that the business might have.
Finance Director, subsidiary of listed PLC
But there was a contrasting view.
We have a formal risk management system which I consider to bevery effective. We deal with significant contracts and the risks can
be significant … We have an executive risk management commit-
tee which reviews proposals for projects and capital investment.
We stick to that quite rigorously and it helps us to ensure that
risks are being highlighted and managed … Of course, you have
to get people on board or it won’t work. Rigid rules can be by-
passed and controls can be manipulated – if you have that situa-
tion then your risk management is failing.
Non-executive director, SME, Contracting
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
88
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 118/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
89
At the end of the day, the biggest risks to our company is running
out of money, so we have extensive management controls in place
that tell me exactly where I am with regard to cash … I also have
extensive information and feedback with regard to competition,
to let me know what’s going on in the market ... I can’t survive
without extensive management information … the performance of
the sales team … masses of information and statistics, about the
utilisation I am getting out of those people … The key is to have
the information, study it, but then it is intuition, gut feel, your
own interpretation, your own view, in terms of what you do with
that information and the timing of when you do it.
Chairman, SME, computer retail
The benefits of risk management
The interviews gave a clear picture of organizations being initially
driven by compliance with Turnbull and the Combined Code, but
although we only asked survey respondents their perception of
risks and benefits, many organisations have realized that tangible
business benefits can be achieved.
We asked our interview respondents what the benefits of risk man-
agement were, given that around 40 per cent of survey respondents
in the FTSE sample did not agree that the benefits of risk manage-ment exceeded costs.
That doesn’t necessarily surprise me and I think it’s a good chal-
lenge to say whether we all want to be, as risk management peo-
ple, in a position where at least 75 per cent think it is of value,
well that’s where we want to be in two or three or four years
time … The way we do that is by really emphasising and creat-
ing methodologies which aren’t bureaucratic, which are light of
touch, which don’t stifle, kill, strangle entrepreneurship, but
that do add some value.
Risk manager, telecommunications PLC with UK and US listing
I think what risk management is helping to do, is give people
more foresight as to what are the risks that may impact me over
the next 12 months or 5 years, depending on what your strategy
is … you are more likely to have action plans in place, therefore
minimising the time you spend fire fighting and hopefully max-
imising the time you spend developing your objectives.
Group Risk Manager, FTSE company, Financial Services
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 119/189
It’s very difficult because what you’re dealing with is very sub-
jective … You do start seeing benefits though, the number of times
you get invited to discussions or project control committees and
so forth, where your views are actively sought.
Group Risk Manager, FTSE company, Financial Services
Good risk managers are constantly alert to major risks. The DotComs did not recognise the risks. Pension funds like Equitable
didn’t realise the risks they were running, it wasn’t on their radar
until it was too late … ABB bought a company with major
asbestos liabilities that has almost sunk the company. Risk man-
agement is an essential part of due diligence.
Chief Executive, UK association of risk managers
It depends on what you term as the costs and benefits and that is
back to the aspect where there is, perhaps, a place for manage-
ment accountants to actually help bring out some of those num-
bers. It may be the case that things are not cost effective, but the
difficulty is risk management is a long-term investment. It’s
totally incompatible with short-term business thinking and
reporting … Maybe you have to start amortising some of those risk
management costs over a longer period of time … the major risks
might have a one-in-a-hundred years frequency, do you amortise
over a hundred years?
Vice President, European federation of risk
management associations
Embedding risk management in culture
The third phase of the trend in risk management identified by our
survey was risk being used to aid decisions, a significant shift from
the ‘tick box’ approach, where risk management is culturally
embedded and taken for granted throughout the organisation. We
asked our respondents about this.
The difference between organisations who are excellent at risk
management and those who aren’t is probably cultural and there-
fore it kind of flows through as to the type of culture the organi-
sation has. Can you see that from outside? I suspect probably you
can to an extent. That’s not to say that – I know a lot of people
who would then say that if you’re bad at risk management you’re
a bad business – I wouldn’t necessarily say that, I don’t think that
necessarily makes you a bad business. I think it means that you
have got to understand the culture of that business and that there
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
90
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 120/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
91
are likely to be of a particular type, which will be probably quite
a heavy risk taking culture, which will be dominated by an indi-
vidual or a few individuals or something of that ilk. Now that
doesn’t make them a bad business ... But the problem with that in
the future may come from a mismatch in expectations between
what the shareholders of that business actually have and what
that business is actually doing. Particularly if you are ticking a
whole bunch of boxes that say ‘I have good corporate governance’
but the reality is that it is a sham.
Risk manager, telecommunications PLC
with UK and US listing
Risk management needs to be embedded in the culture of the
company. Some companies have always practised it, for example
safety at DuPont. The example of Tylenol at Johnson and Johnson
was one of maintaining the integrity of the business.1 The dangerof a strong culture can work against risk, for example at Enron
where the culture was to work as close to the line as possible.
The problem is stopping the juggernaut and being accused of dis-
loyalty.
Chief Executive, UK association of risk managers
There was a view that much of the cultural embeddedness was a
national factor.
I’d have to say that about 90 per cent of what I still see in risk man-
agement is still around reducing the negative consequences …
Looking at the upside, it’s starting … it’s a gradually evolving
process. It’s getting that cultural change within the businesses …
The concept of risk management is fairly well accepted in the UK,
simply because it’s probably been driven by Turnbull and the
Combined Code. If you go outside the UK, Germany is fairly well
integrated into the thinking, because again they have got corporate
governance that reinforces that whole process. The more Latin
approach is ‘I know how to manage my risks. I’ll take the chance’
etc., without a logical thinking through, it’s a lot more gut instinct.
Now some of that works very well and you need to encourage that,
otherwise you shut the business down. That’s where you get the
link between the culture and the processes because, if you haven’t
got the processes and you haven’t got the right culture, the
processes either won’t be implemented or else they will be imple-
mented in a box-ticking way.
Vice President, European federation of
risk management associations
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 121/189
Perhaps the best example of risk management being embedded in
culture came from the international loss prevention manager of a
Fortune 500 chemical engineering company.
If you have a risk management culture then the process of risk
management should really be fully integrated with everybody, so
you don’t need a person strutting around saying ‘I am the riskmanager’ … I’m more comfortable with the term consultant and
what I bring to bear in that is experience I have with treatment of
risks, which may be insurable or not insurable.
We have a very strong culture of risk management, as a company
we, for about 30 or 35 years, focused very strongly on safety.
That’s only one risk arena of course, but safety has been held very
publicly to be more important than profits, more important than
turnover, more important than many other things – more impor-tant than anything in fact in our company. And the guy at the top
says that every time he starts a major report. As a consequence of
that approach we have a world-class safety record and we are cer-
tainly the leader, the best, in the chemicals business worldwide.
This comment invited the researchers to question how sharehold-
ers perceived safety as more important than profits.
Inevitably, there are direct savings as a result of not having
injuries, there are also indirect savings. Our incident managementsystem looks at everything that happens. It may be a spanner drop-
ping on a workman’s head. He may be wearing a hard hat – he
should be. There may be a property implication, if that spanner
falls into a piece of machinery or arcs some electrical equipment
or something like that. Now there’s a direct benefit from having
fewer injuries … I don’t know that it has a direct impact on share-
holders, but I think they like the story and frankly, if a company
has the best safety record in the business, as a shareholder you
would probably like to be associated with that company.
We asked about the evolution from a safety culture to a risk man-
agement culture.
It seems to me that most of the risks that face us are associated
with people or the activities of individuals or groups. External
risks exist of course, earthquakes and storms, but you can do
much more to control behaviour than you can to control the
weather or seismic activity … I think that is generally embedding
in culture, in people, that you need to have a responsibility for the
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
92
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 122/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
93
safety of colleagues and that you need to do things carefully and
check with the right people that you’re managing, that you’re
negotiating the right terms in contracts and that you’re running
the plant safely.
International loss prevention manager of a Fortune
500 chemical engineering company
Conclusion
We asked a senior risk management professional about the differ-
ence between organisations that are seen as very good at risk man-
agement and those that are poor at it. His comments provide a
powerful conclusion to this chapter.
From the top level down there will be a different culture within
the organisation, where you would have people thinking outside
the box in terms of what might knock their plans off course. This
would be an organisation that doesn’t issue profit warnings,
doesn’t have major unjustified exceptional costs on its annual
accounts because they thought about things in advance. They
have managed acquisitions and mergers proactively to ensure
that they have met their targets and objectives and haven’t
impaired the goodwill or asset values. These are some of the
things you might see. A profitable and successful company,
excellent reputation, corporate social responsibility – you
wouldn’t see them being fingered as people who are exploiting
the third world, child labour, etc. – all those things sort of come
out of it. They have got their supply chain issues sorted out. I
guess out in the City, analysts are comfortable with what they are
hearing and probably their estimates are pretty close to what the
organisation achieves. Good credit rating, because they can see
that they are good value and their ratios are all good. So all those
sort of things ought to be indicators of good risk management. I
mean they will also be indicators of other things as well in terms
of good general management, performance and risk management
is just one aspect of that. That’s where you come back to the chal-
lenge to identify, you know, the risk management aspects if you
are trying to quantify the benefits of risk management because it’s
sort of mixed in and it ought to be embedded in the thinking, so
if it’s properly embedded it’s almost difficult to bring it out.
That’s a challenge.
Vice President, European federation of
risk management associations
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 123/189
Summary of main interview findings
The traditional approach to risk management was evidenced in
many interviews. This revolved around achieving targets, the lack
of a structured approach to risk management, an emphasis on being
reactive and perceiving the downside of risk rather than risk as
missed opportunity.
The drivers of risk management were certainly seen as the
increased corporate governance agenda but, equally, so were the
increased expectations of investors. This was linked to legitimating
activity, part of the ‘tick box’ compliance approach. There were
also examples of business shocks that had resulted in risk manage-
ment moving up the management agenda. However, interviewees
did give examples of the beginning of a shift to a more proactivestance where risk management was seen to deliver business bene-
fits. There was a strong emphasis from our interviewees that this
shift was likely to increase with a move away from the ‘tick box’
approach.
In terms of methods of risk management, our interviewees
advised us that ‘keeping things simple’ was best, although more
sophisticated techniques were more likely to be used at lower
organizational levels. This was largely because business was socomplex and supposedly ‘objective’ methods may not be reliable.
However, many interviewees suggested that there needed to be a
balance between the objective information (the role of the
accountant) and more subjective methods based on experience
and intuition.
Interviewees saw the skill set of management accountants as not
being appropriate to a wider involvement in risk management,
although their analytic and modelling skills were essential in asupporting role. The distinction between task-oriented manage-
ment accountants and strategic finance directors was reinforced in
our interviews.
The benefits of effective risk management were exemplified by
many interviewees, which included both avoiding downside and
taking advantage of upside opportunities. However, it was
accepted that there was a need culturally to embed risk into organ-
isations as a taken-for-granted practice.
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
94
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 124/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
95
Note
1In 1982, the Tylenol scare began when seven individuals died in
Chicago after ingesting Extra Strength Tylenol that contained
cyanide. While the crime was never solved and Tylenol sales tem-
porarily collapsed, the brand was rebuilt and recovered in only a
few years. The scare led to the introduction of tamper-proof pack-
aging for medicines.
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 125/189
96
This page intentionally left blank
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 126/189
5Research findings
97
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 127/189
98
This page intentionally left blank
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 128/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
99
The literature review
The distinction has been made between event-uncertainty, com-
monly viewed as risk, and information-uncertainty (Galbraith, 1977).
Two of Galbraith’s four organisational design strategies – the creation
of slack resources, and the creation of self-contained tasks – reduce
the need for information processing because of lower performance
standards. The other two – investing in vertical information systems,
and creating lateral relations – increase the organisational capacity to
process information.
We found that risk management systems improved the organisa-
tional capacity to process information, through vertical information
systems but also through the role of risk managers, whose role was a
cross-cutting one. However, accountants were sceptical about thevalue of the information they produced, which was not shared by
non-accountants, who tended to rely on that information.
We noted that risk can be thought about by reference to the exis-
tence of internal or external events, information about those events
(i.e. their visibility), managerial perception about events and infor-
mation (i.e. how they are perceived), and how organisations estab-
lish tacit/informal or explicit/formal ways of dealing with risk.
There is an important distinction between objective, measurablerisk and subjective, perceived risk.
Managers do take risks, based on risk preferences at individual and
organisational levels (March and Shapira, 1987). Some of these risk
preferences vary with national cultures (Hofstede, 1980; Weber and
Hsee, 1998), while some are individual traits (Weber and Milliman,
1997).
The ‘risk thermostat’ (Adams, 1995) recognises that risk propensity
varies based on the risk/reward trade-off and how these are bal-
anced against perceptions of danger. At the organisational level,
Douglas and Wildavsky (1983) explained risk perception as a cul-
tural process, commenting that each culture, each set of shared val-
ues and supporting social institutions is biased toward
highlighting certain risks and downplaying others.
We found that this ‘socially constructed’ view of risk was a better
reflection of organisational risk management than rational model-ling approaches typified by textbooks and professional training as
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 129/189
it reflected the subjectivity of risk perceptions and preferences,
cultural constraints and individual traits. The four ‘ideal types’
developed by Adams (1995) and adapted here as risk stance – risk
sceptical (or fatalists), hierarchists, individualists, and risk aware
(or egalitarians) – was helpful in our research in understanding
individual and organisational risk management practices. The sur-vey found that the risk stance of managers did influence the risk
management practices in use.
The regression analysis results suggested that risk stance was a sig-
nificant moderating influence on methods of risk management and
these then led to perceptions of improved performance reported by
these firms. It seems that risk management is mostly conceived of
as fitting a hierarchist stance in respect of risk management meth-
ods, while the risk aware stance was most closely related to sup-porting policies and culture and risk being factored into plans.
Summary of main case study findings
The conclusions of the four exploratory case studies were:
1. Four domains of risk were observed, reflecting the different social
constructions of participants: financial, operational, political andpersonal.
2. The process and content of budgeting was categorised as risk
modelled, risk considered or risk excluded.
3. Risk transfer took place between and within organisations.
4. Managers ‘held’ risk and provided containment for the anxiety
of others.
The four cases illustrate how the different social constructions of
participants in the budgeting process influenced the domains – oralternative lenses – through which the process of budgeting took
place and how the content of the budget was determined. The
process of budgeting in all four cases was characterised as risk con-
sidered, in which a top-down budgeting process reflected negoti-
ated targets. The content of budget documents were risk excluded,
being based on a set of single-point estimates, in which all of the
significant risks were excluded from the budget itself. The separa-
tion of budgeting and risk management had significant
consequences for the management of risk as the process of
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
100
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 130/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
101
budgeting needs to be considered separately from the content of
budget documents.
Summary of main survey findings
The main findings of the survey were:
◆ There was little evidence of any contingent explanations for risk
management based on either size or business sector. Similarly,
respondents’ perceptions of the environmental uncertainty and
risk facing their organisations were not reported to influence
risk management practices in those organisations.
◆ CIMA respondents were more risk concerned than the other
respondent groups in relation to their organisations, despite
having a lower perception of environmental competitive inten-
sity and uncertainty in their industry/sector.
◆ Risk management appears to be driven by an institutional
response to calls for improved corporate governance which may
reflect both protection and economic opportunity. The external
drivers of risk management practices, other than competitive
intensity, risk or uncertainty, were observed to be external stake-
holders and the demands of regulators and legislation, enacted
through boards of directors which were likely to exert influenceover the policies and methods adopted for risk management.
◆ Risk has shifted from being considered tacitly in the past, to
being considered more formally in the present and the survey
results reflected our respondents’ expectation that this trend
will shift markedly to a more holistic approach with risk being
used to aid decision-making.
◆ Risk was seen on an individual level as much about achieving
positive consequences as avoiding negative ones. However,organisational risk management was more about avoiding nega-
tive consequences.
◆ Methods for risk management that were in highest use were the
more subjective ones (particularly experience), with quantita-
tive methods used least of all. These results suggested that a
heuristic method of risk management is at work in contrast to
the systems-based approach that is associated with risk man-
agement in much professional training and in the professional
literature. It is possible that, even if well developed methods
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 131/189
were in place, managers would always need to transcend them
with heuristics.
◆ The reliance on formal accounting-based controls was also
called into question by the survey. Importantly, CIMA respon-
dents were less confident in the formal control systems that
existed in their organisations, suggesting that the professionalknowledge of accountants accommodates an understanding of
the limits of accounting information, a knowledge not shared by
non-accountants.
◆ There was little integration between management accounting
and risk management, and management accountants in the
overwhelming majority of organisations were being margin-
alised in relation to risk management.
◆ Line managers were mostly concerned with identifying risk,
analysing and reporting on risk. Finance directors had a major
role in analysing and assessing, and reporting and monitoring
risk. Deciding on risk management action was predominantly
the concern of the chief executive and the board. Management
accountants scored lower than internal audit and risk managers
on the identification of risk. The finance director was identified
with more aspects of risk management than any other role, sug-
gesting that they may have a pivotal role in risk management.
◆ Given the major public visibility of governance requirements,risk management may be seen largely as a compliance exercise.
Management action to decrease the likelihood of risk was given
the highest ranking, rather than action to achieve organisational
objectives.
◆ Traditional methods of managing risk through transfer (insur-
ance, hedging, etc.) were still seen as more effective than more
proactive risk management processes.
◆ The results of the regression study showed that risk stance didmoderate the perceived usefulness of risk management prac-
tices. The main explanatory variables of improved performance
were the degree of use of basic methods, the degree of use of
technical methods, the degree to which there were supportive
policies and cultures and the degree to which risk was factored
into plans. This last variable underlined the findings from the
exploratory case studies where it was found that risk did not
enter the actual budgets but was considered in the processes of
budgeting.
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
102
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 132/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
103
◆ The risk aware stance, in attending to both protection and to
opportunity, does create organisations to which the capital mar-
kets award a lower beta, and hence a higher value. The require-
ments of corporate governance do not necessarily have to work
in opposition to economic rationales of risk as opportunity and
adventure. This tantalising indication needs some furtherresearch.
Summary of main interview findings
The main findings of the interviews carried out to explore the sur-
vey findings were:
◆ The traditional approach to risk management revolved around
achieving targets, the lack of a structured approach to risk man-
agement, an emphasis on being reactive and perceiving the
downside of risk rather than risk as missed opportunity.
◆ The drivers of risk management were seen equally to be the
enlarged corporate governance agenda and the increased expec-
tations of investors. This was linked to legitimating activity,
part of the ‘tick box’ compliance approach. There were also
examples of business shocks that had resulted in risk manage-
ment moving up the management agenda. There were examples
of the beginning of a shift to a more proactive stance where riskmanagement was seen to deliver business benefits. There was a
strong emphasis from our interviewees that this shift was likely
to increase with a move away from the ‘tick box’ approach.
◆ In terms of methods of risk management, keeping things simple
was seen as the preferred approach, although more sophisticated
techniques were more likely to be used at lower organisational
levels. This was largely because business was so complex and the
supposedly ‘objective’ methods may not be reliable. However, itwas recognised that there needed to be a balance between the
objective information (the role of the accountant) and more sub-
jective methods based on experience and intuition.
◆ The skill set of management accountants was not seen as being
appropriate to a wider involvement in risk management,
although their analytical and modelling skills were essential in
a supporting role. There is an important distinction between
task-oriented management accountants and strategically-ori-
ented finance directors.
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 133/189
◆ There are important benefits of implementing effective risk
management, including both avoiding downside and taking
advantage of upside opportunities. However, it was accepted
that there was a need culturally to embed risk into organisations
as a taken-for-granted practice.
Revised framework for risk management
Figure 3.2 presented a framework for risk management that was
tested using the survey results. The survey results show that:
◆ There were no significant correlations to demographic data
between either the ownership structure of the organisation or
the nature of business, but significant correlations existed
between size and the use of risk management methods.
◆ There was an absence of significant correlations between envi-
ronmental uncertainty and risk and other group variables.
◆ The external drivers of risk management practices were
observed to be external stakeholders and the demands of regu-
lators and legislation, enacted through boards of directors.
◆ There was no statistically significant association between risk
propensity (risk averse, risk neutral and risk willing) and organ-
isation type, sector, or size.
◆ Organisational risk management was more about avoiding neg-ative consequences, suggesting a protective orientation rather
than an opportunistic one.
◆ There are strong and significant relationships between support-
ing processes and culture and the usage of basic and technical
methods of risk management, risks being factored into plans
and improved performance and external relationships.
However, weaker responses suggested that only about half of
respondents’ organisations felt that risks were understood andembedded at the cultural level.
◆ A trend in risk management observed here was from risk being
considered tacitly in the past to it being considered formally in
the present and with the expectation that, in the future, there
would be a more holistic approach to risk being used to aid
decision-making.
◆ The methods in highest use were the more subjective ones (par-
ticularly experience), with quantitative methods used least of
all, reinforcing the conjecture that heuristic (or process)
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
104
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 134/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
105
mechanisms may be more important for risk management than
systematic mechanisms.
◆ There was little integration between management accounting
and risk management, and management accountants in the
overwhelming majority of organisations were being margin-
alised in relation to risk management.◆ Fifty per cent believe the benefits of risk management exceed
the costs. However, traditional methods of managing risk
through transfer (insurance, hedging, etc.) were still seen as
more effective than more proactive risk management processes.
◆ The risk stance (hierarchists, risk aware, entrepreneurs and risk
sceptical) did influence the risk management practices in use.
◆ The regression analysis provided some confidence that four
variables – basic and technical methods of risk management,
supporting processes and culture, and the degree to which risk
was factored into budgets and plans – did quite strongly predict
reported improvement in performance.
◆ The risk aware stance, in attending to both protection and to
opportunity, does create organisations which the capital mar-
kets award a lower beta, and hence a higher value.
Figure 5.1 reflects the research findings, in particular by reflecting
that:1. There are many external drivers to risk management, not only
regulatory but that these are enacted by or through the board of
directors.
2. Other than organisation size, there appears to be no correlation
between environmental uncertainty or competitive factors and
risk management practices.
3. Risk propensity was not as important as risk stance.
4. Risk management practices exist along a continuum of heuristic tosystematic but, at corporate level, the heuristic methods dominate.
5. Risk management practices are believed by respondents to move
along a life cycle from heuristic to systems dependent to cultur-
ally embedded.
6. The involvement of accountants in risk management was
marginal.
7. Risk management was perceived to improve organisational
performance and there was indication that a risk aware stance
could be related to a lower capital market risk profile.
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 135/189
The framework in Figure 5.1, in conjunction with that developed
by Solomon et al. (2000) presents a useful model for understanding
how risk management practices are introduced and develop over
time. The framework does not support the adoption of views
expressed in the Turnbull Report (Institute of Chartered
Accountants in England & Wales, 1999) and the Combined Code onCorporate Governance (Financial Reporting Council, 2003), as risk
was still dominated by downside concerns and risk transfer
through hedging and insurance remains dominant over proactive
risk management. However, the marginalisation of accountants in
risk management reinforces the observations made by Spira and
Page (2003: p.645).
In this study, at the organisational level, the most significant driver
of risk management practice was seen to be corporate governance,enacted through boards of directors and other key stakeholders.
This may be seen as constituting a reliance on legitimation, i.e.
avoiding the risk of being seen not to have a risk management and
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
106
External drivers
Stakeholders, regulators, legislation
enacted through board of directors
Organisational demographics
Organisation size (turnover/employees)
Risk stance
(hierarchists, risk aware, entrepreneurs
and risk scepticals)
Risk management practices
(a) Policy, procedure, methods, etc.
Involvement of accountants/
accounting in risk management
Perceived effectiveness of
organisational performance
and lower Capital Market risk profileand lower Capital Market risk profile
(c) Phases: Heuristic Systems-dependent Culturally-embedded
(b) Continuum: Heuristic Systematic
Figure 5.1 Revised framework for risk management practices in organisations
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 136/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
107
internal control system. While managers reported some influence
on risk management practices from markets, the regression analysis
demonstrated that this was not definitive. Hence, there was little
evidence in the research results that risk management was based
upon an analysis of the business in its context, i.e. of the focus of
risk management being pushed outwards from the organisation. Inthe corporate governance approach, risk management was being
pushed inwards and downwards to line managers but, given the
reported use of ‘factoring risks into planning’ and in the use of
heuristic decision-making, then it may be inferred that corporate
governance is not necessarily antithetical to business venturing.
Risk and the social construction of uncertainty
Uncertainty limits the ability of the organisation to make decisions
in advance (Galbraith, 1977: p.4). As organisational respondents to
this study have not recognised event-uncertainty as anything con-
trollable by risk management, we are left with the notion of risk
management applied to task uncertainty. Uncertainty makes a dif-
ference to organisation structure and increases the amount of infor-
mation that must be processed during task execution. Task
uncertainty, division of labour, diversity of output and level of per-formance determine the amount of information that must be
processed. Following Galbraith (1974) it can be argued that the
greater the risk (task uncertainty) the greater the amount of control is
needed in order to achieve a given level of performance. However,
the adoption of heuristic techniques suggests that the social
constructionist perspective cannot be overlooked by researchers.
Risk management practices existed along a continuum from basic to
technical methods, implemented on a continuum from systematicto heuristic. In concert with recent managerial research (e.g. Hellier
et al., 2002) but contrary to much of the management science liter-
ature, risk management practices reported here emphasise subjec-
tive methods rather than sophisticated analytic techniques.
The importance of the social constructions of managers is at the heart
of this research which, while applying a positivistic methodology, is
based on the social constructions of respondents. The risk stances
model developed from the work of Douglas and Wildavsky (1983)
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 137/189
and Adams (1995) enables a new understanding of how managers
influence risk management and internal control decisions.
The risk sceptical (fatalists in Adams’ ideal type) are those who do
not see risk management as being important or having any conse-
quences, or were neutral. This group comprised only 7 per cent of
the respondents. Entrepreneurs agreed that risk management is
about positive consequences but disagreed or were neutral about
negative consequences, perhaps a risk seeking group. Hierarchists
disagreed or were neutral in relation to positive consequences but
agreed in relation to negative ones. This is the risk-avoiding group.
The risk aware (Adams’ egalitarians) group were balanced between
risk management’s role in both achieving positive and avoiding
negative consequences. This research suggests that this risk aware
group would embed risk in culture and decision-making.
This research has provided a snapshot of the social construction of
uncertainty involving the bracketing of event-uncertainty, the
adoption of a particular stance towards risk and the adoption of
risk management and control procedures based on socially con-
structed risk perceptions and risk propensity, reflected in heuristic
approaches to risk management.
The risk of control
There is an implicit assumption in corporate governance literature
that the higher the risk (in terms of likelihood and consequence),
the higher must be the control of that risk. However, this is a cir-
cular argument. Risk is deemed to be high because something is
either uncertain or has significant consequences, or both. If the
likelihood and consequence of risks could be controlled, then by
definition they would not be considered risky. While risk manage-
ment techniques may be effective for risks over which the organi-
sation has the capacity to exercise control, most external risks are
a different matter. Organisations can develop methods of anticipa-
tion, contingency plans and adopt flexible practices but, in those
cases, ‘control’ may impede or prevent anticipation, contingency
and flexibility. There is then a risk of control (Berry et al., 2005).
Risk management practices may lead to an organisation taking
(unwittingly) higher risks. This effect is similar to that discussed by
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
108
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 138/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
109
Adams (1995), where he noted that higher levels of perceived safety
might lead individuals with stable risk preferences to undertake more
dangerous activities. A first risk of control may have arisen because
of the emphasis on controlling threat based upon considerations of
compliance to corporate governance imperatives following upon the
Turnbull recommendation for a risk-based approach to establishing asystem of internal control to provide against worst-case scenarios.
This may have carried through into excessive control by establishing
a range of prescriptive controls such that organisational actions are
overly constrained. Organisational participants may have less room
to manoeuvre and in a turbulent environment this may result in an
increase, rather than a decrease in risk as policies, plans and budgets
do not have the flexibility to cope with the unexpected. Further, it
may be argued that opportunities may be foreclosed.
A second risk of control is that controls put in place for risk man-
agement may have given an unjustifiable confidence that event-
uncertainty was being managed. This may have been especially
true for those organisations which emphasised both of the aspects
of risk management as opportunity or as containing threat.
In this study we were unable to establish the degree to which
organisations understood the relationship of the control of risk and
the risk of control, even though it was clear that many organisa-tions were reported as having equal attention to threat and oppor-
tunity. Nor were we able to examine the differences in the types of
control procedures which were designed to deal with the problems
of threat and opportunity, except for the possibility that the oppor-
tunity risk controls may have been handled in the context of plan-
ning and strategic decision-making and that the threat controls
may have been handled in the risk management procedures. This
was perhaps recognised in the research results that highlighted theorganisational preference for the use of heuristic rather than sys-
tematic risk management practices.
Limitations of the research
There are a number of limitations to the research study arising from:
◆ The limited number of responses and the non-response bias.
◆ The (deliberate) focus on accountants.
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 139/189
◆ The corporate level of analysis.
◆ The design of the survey to collect perceptions of respondents
rather than any validated performance data.
Despite these limitations, the survey provides useful insights into
enterprise-wide internal control procedures to identify and manage
risk and the contribution of, and the consequences for management
accountants.
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
110
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 140/189
6Summary of research andbest practice implications
111
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 141/189
112
This page intentionally left blank
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 142/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
113
The importance of risk management
CIMA’s definition of risk management is the process of under-
standing and managing the risks that the organisation is inevitably
subject to in attempting to achieve its corporate objectives.
The Combined Code on Corporate Governance (FinancialReporting Council, 2003) is established not only as a requirement
for listed companies but, increasingly, as a best practice guideline
for unlisted companies. However, while corporate governance is an
important motivator for risk management and internal control
practices (Spira and Page, 2003), it should be remembered that the
Turnbull Report emphasised that as profits are, in part, the reward
for successful risk taking in business, the purpose of internal con-
trol is to help manage and control risk appropriately rather than toeliminate it. The ‘illusion of control’ (Marshall et al., 1996) or ‘risk
of control’ (Berry et al., 2005) has been suggested, leading to the
importance, not just of formal systems of control, but of informal
controls, frequently embedded in organisational culture.
Valuable frameworks exist for risk management:
◆ The Risk Management Standard (Institute of Risk Management,
2002)
◆ Enterprise Risk Management – Integrated Framework (Committee
of Sponsoring Organisations of the Treadway Commission
(COSO), 2004)
◆ Enterprise Governance: Getting the Balance Right (CIMA, 2003).
The changing role of management accountants is also important in
establishing the context for their role in risk management and wider
views of management control. Risk management is the process by
which organisations methodically address the risks attaching to
their activities with the goal of achieving sustained benefit within
each activity and across the portfolio of all activities. The focus of
good risk management is the identification and treatment of these
risks consistent with the organisation’s risk appetite. Best practice
involves making the organisation’s risk appetite explicit and com-
municating this widely within the organisation.
Enterprise risk management aligns risk management with business
strategy and embeds a risk management culture into business oper-ations. It encompasses the whole organisation and sees risks as
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 143/189
opportunities to be grasped as much as hazards. It is generally
agreed among professional risk managers that the future manage-
ment of risk will be fostering a change in the risk culture of the
organisation towards one where risks are considered as a normal
part of the management process. Best practice involves establish-
ing an appropriate risk management system, but recognising thatthe system may achieve little without a culture that supports the
organisational approach to managing risk.
We have very little understanding of how managers in organisa-
tions perceive and take risks or of the commonalities or differences
between individual risk taking and risk taking by managers in the
organisational context.
Managers perceive risk differently and assess the risk/return trade-
off in different ways. Everyone has a propensity to take risks but
the propensity varies from person to person. The propensity to take
risks is influenced by the potential rewards of risk taking and expe-
rience of ‘accidents’ that cause losses. Individual risk taking there-
fore is a balance between perceptions of risk and the propensity to
take risks.
Research has found that attitudes towards risk taking or risk avoid-
ance exist as a trait on a continuum from risk avoiding to risk tak-ing. Risk perception is also a cultural process, sometimes at a
national level and sometimes at an organisational level, even at an
occupational level (e.g. accountants are often stereotyped as being
risk averse). Each culture, each set of shared values and support-
ing social institutions is biased toward highlighting certain risks
and downplaying others. Research has also found that managers
rely on instinct and experience in forming judgements about risk.
Best practice involves understanding how managers perceive risks,
and their attitude to risk taking, given the organisational culture
and its appetite for risk.
Boards of directors have a responsibility under the Combined Code
to maintain a sound system of internal control to safeguard share-
holders’ investment and the company’s assets. Best practice
involves adopting a risk-based approach to internal control and a
continual review of its effectiveness. The purpose of internal con-
trol is to help manage and control risk appropriately rather than to
eliminate it.
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
114
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 144/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
115
The COSO Enterprise Risk Management Framework is considered
a model of best practice. Its approach to risk-based internal control
contains eight components – internal environment, objective set-
ting, event identification, risk assessment, risk response, control
activities, information and communication, and monitoring.
There has been an implicit assumption in much research that man-
agement control systems play an important part in risk manage-
ment. However, an excess of controls can produce an ‘illusion of
control’. One risk of control is that the existence of controls may
lead managers to believe that risks are well controlled, and unfore-
seen circumstances may arise or opportunities may be missed
because of an over-reliance on controls. A second risk of control is
that the existence of controls prevents any risky activities from
being undertaken which leads to missed opportunities. Best prac-tice involves recognising that, while risk-based controls are essen-
tial to manage risks, excessive controls, or an over-reliance on
formal controls, can be counter-productive.
Management accountants are involved in internal control mecha-
nisms, whether the controls are financial or non-financial. These
controls include planning, information for decision-making, tradi-
tional financial controls, such as budgeting and management
reporting, and balanced scorecard-type systems of non-financial
performance measurement. However, the decentring of accounting
knowledge in many organisations and the increase in technology,
which has eliminated many routine accounting tasks, means that
best practice for management accountants is to move beyond their
traditional role and emphasise adding value to their organisations.
In the context of this report, this means taking a wider perspective
on strategy, risk and management controls, beyond the traditional
focus on what is measurable. A 2002 report produced by CIMAargued that management accountants, whose professional training
includes the analysis of information and systems, performance and
strategic management, can have a significant role to play in devel-
oping and implementing risk management and internal control
systems within their organisations.
This wider view was evidenced in the four case studies described
in the report. The four cases illustrate how the different social con-
structions of participants in the budgeting process influenced the
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 145/189
domains – or alternative lenses – through which the process of
budgeting took place and how the content of the budget was deter-
mined. Different ‘domains of risk’ reflected the different social con-
structions of participants.
There was little direct evidence of ‘risk modelling’ in the four cases
and a minor reflection of risk consideration in one case. The
process of budgeting in all four cases was characterised as ‘risk
considered’, in which a top-down budgeting process reflected
negotiated targets. The content of budget documents were ‘risk
excluded’, being based on a set of single-point estimates, in which
all of the significant risks were excluded from the budget itself. In
terms of best practice, the separation of budgeting and risk man-
agement has significant consequences for the management of risk
as the case studies suggested that there is a relationship betweenthe social constructions of budget participants at different levels of
analysis that impacts the budgeting process. In particular, the
process of budgeting, by excluding some risks and considering
others, is seen to be different to, and needs to be interpreted sepa-
rately, from the content of the budget.
While we did not identify best practice in these cases, we consid-
ered that best practice involved moving beyond a narrow focus of
accounting or broader quantitative issues and addressing the socialconstructions of participants in the budget process. We thought
that these findings may be generalisable beyond budgets to other
forms of management control. Given that the case studies sug-
gested that the most significant risks may be excluded from finan-
cial reports, the requirements of governance and internal control
motivated us to consider in greater depth the relationship between
risk and management control, and the role of management account-
ants in that dynamic.
Research conclusions
The main conclusions from the research were that:
◆ The framework of risk management practice describes the
antecedents of risk management practice and reflects both a
continuum from heuristic to systematic policies, proceduresand methods.
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
116
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 146/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
117
◆ Heuristic methods of risk management were used much more
than the systems-based approach that is associated with risk
management in much of the literature, at least at the corporate
level of risk management. The methods in highest use were the
more subjective ones (particularly experience), with quantita-
tive methods used least of all. It is suspected that crucial assess-ments of risk were undertaken in managerial dialogues rather
than in any final risk management process, reinforcing the role
of the human actor over analytical techniques. There was also
evidence of significant reliance on external advisers.
◆ The organisational stance towards risk (risk sceptical, hierar-
chists, entrepreneurs and risk aware) was an important deter-
minant of risk management practices.
◆ The ‘trend’ model demonstrates the perception by respondents
of a shift over time from risk being considered tacitly in the past
to it being considered more formally at the present, with the
expectation of respondents that, in the future, there will be a
more holistic approach with risk being culturally embedded
and used to aid decision-making.
◆ Risk management practices in use were perceived by respon-
dents to have delivered benefits that exceed the cost.
◆ CIMA respondents were more sceptical about the value of
accounting-based tools and controls than other respondents.◆ The finance director was identified with more aspects of risk
management than any other role, suggesting that they may have
a pivotal role in risk management. However, management
accountants in the majority of organisations were being margin-
alised in relation to risk management. CIMA respondents indi-
cated that management accountants should have more
involvement in risk management, although this was not a view
shared by other respondents.
The results suggested that risk management practice was driven
institutionally rather than strategically or economically. The
response by organisations has not been to the logic of markets in
terms of competitive intensity and environmental uncertainty but
more an institutional response to calls for improved corporate gov-
ernance. Risk management may therefore be more about protection
against the uncertainties of the internal world, however that may
be perceived, rather than about protection against or engaging withuncertainties of the external world.
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 147/189
Summary of research findings and implications forbest practice
Main survey findings and best practice implications
Contrary to expectations that risk management practices vary
between organisations as a result of their size or industry sector,there was little evidence of any contingent explanations for risk
management based on either size or business sector. Similarly,
respondents’ perceptions of the environmental uncertainty and
risk facing their organisations did not appear to influence risk man-
agement practices in those organisations.
However, perhaps reinforcing traditional stereotypes, CIMA
respondents were more risk concerned than the other respondent
groups in relation to their organisations, despite having a lowerperception of the competitive intensity and uncertainty in their
industry/sector.
These survey results suggested that risk management was driven by
an institutional response to calls for improved corporate governance
which may reflect both protection and economic opportunity. The
external drivers of risk management practices, other than competi-
tive intensity, risk or uncertainty, were observed to be external stake-
holders and the demands of regulators and legislation, enactedthrough boards of directors which were likely to exert influence over
the policies and methods adopted for risk management.
However, risk has shifted from being considered tacitly to being
considered more formally and the survey results reflected our
respondents’ expectation that this trend will shift markedly to a
more holistic approach with risk being used to aid decision-mak-
ing. Although our research found that adherence to the regulatory
environment is essential, we would suggest that best practice goes
much further than this, emphasising the importance of culturally-
embedding risk awareness in organisations.
Risk was seen on an individual level as much about achieving pos-
itive consequences as avoiding negative ones. However, organisa-
tional risk management was more about avoiding negative
consequences. Best practice is likely to emphasise a broader oppor-
tunistic approach to risk management, based on a risk/return trade-
off, rather than a purely defensive or protective stance.
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
118
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 148/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
119
The survey found that the methods for risk management that were
in highest use were the more subjective ones (particularly experi-
ence), with quantitative methods used least of all. There was also
significant reliance on external advisers. These results suggested a
heuristic method of risk management is at work in contrast to the
systems-based approach that is associated with risk management inmuch professional training and in the professional literature. As
previously stated, best practice will involve using appropriate and
effective tools, but these tools should be supplemented by experi-
ence, intuition and judgement.
The reliance on formal accounting-based controls was also called
into question. Importantly, CIMA respondents were less confident
in the formal control systems that existed in their organisations,
suggesting that the professional knowledge of accountants accom-modates an understanding of the limits of accounting information,
a knowledge not shared by non-accountants. Best practice may
therefore involve the training of users of financial information in
the limitations of that information.
The responses reveal that line managers were mostly concerned
with identifying risk, analysing and reporting on risk. Finance
directors had a major role in analysing and assessing, and report-
ing and monitoring risk. Deciding on risk management action was
predominantly the concern of the chief executive and the board.
Management accountants scored lower than internal audit and risk
managers on the identification of risk. The finance director was
identified with more aspects of risk management than any other
role, suggesting that they may have a pivotal role in risk manage-
ment. The distinction here between the role of the management
accountant and finance director is an important one. The best prac-
tice implication for CIMA is that their members may have to reach finance director positions before they can contribute more signifi-
cantly to risk management, but clearly they should be educated to
be able to fulfil that function.
There was little integration between management accounting and
risk management, and management accountants in the overwhelm-
ing majority of organisations were being marginalised in relation to
risk management. While CIMA respondents feel that management
accountants should have more involvement in risk management,
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 149/189
this was not a view shared by other respondents. Best practice, at
least for management accountants, appears to be a shift towards a
more strategic and value adding role which, by definition, includes
a consideration of risk. This is consistent with the literature on the
changing role of the accountant.
Given the major publicity and governance requirements, risk man-
agement may be seen largely as a compliance exercise. However,
half of the respondents reported that the benefits exceeded the
costs. Perhaps unsurprisingly, management action to decrease the
likelihood of risk was given the highest ranking, rather than action
to achieve organisational objectives. The survey responses implied
that traditional methods of managing risk through transfer (insur-
ance, hedging, etc.) were still seen as more effective than more
proactive risk management processes. Best practice involves adeliberately proactive stance towards risk management, rather
than an excessive reliance on traditional techniques, except to the
extent that these techniques remain useful.
In relation to financial market risk, the implication of our regres-
sion analysis is that the risk aware stance, in attending to both pro-
tection and to opportunity, did create organisations to which the
capital markets award a lower average beta and, hence, a higher
value. It is interesting too that it is both the stance and the factor-ing of risk into plans that is related. This led us to infer that the
requirements of corporate governance do not necessarily have to
work in opposition to economic rationales of risk as opportunity
and adventure. However, given the small samples, this observation
is indicative only and would need to be replicated on a larger scale.
Results of interviews to explore survey findings and best practice
implications
The traditional approach to risk management was evidenced in
many interviews. This revolved around achieving targets, the lack
of a structured approach to risk management, an emphasis on being
reactive and perceiving the downside of risk rather than risk as
missed opportunity.
The drivers of risk management were certainly seen as the
increased corporate governance agenda but, equally, the increasedexpectations of investors. This was linked to legitimating activity,
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
120
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 150/189
R i s k a n d M a n a g e m e n t
A c c o un t i n g
121
part of the ‘tick box’ compliance approach. There were also exam-
ples of business shocks that had resulted in risk management mov-
ing up the management agenda. However, interviewees did give
examples of the beginning of a shift to a more proactive stance
where risk management was seen to deliver business benefits.
There was a strong emphasis from our interviewees that this shiftwas likely to increase with a move away from the ‘tick box’
approach.
In terms of methods of risk management, our interviewees advised
that keeping things simple was best, although more sophisticated
techniques were more likely to be used at lower organisational lev-
els. This was largely because business was so complex and sup-
posedly ‘objective’ methods may not be reliable. However, many
interviewees suggested that there needed to be a balance betweenthe objective information (the role of the accountant) and more
subjective methods based on experience and intuition.
Interviewees saw the skill set of management accountants as not
being appropriate to a wider involvement in risk management,
although their analytic and modelling skills were essential in a
supporting role. The distinction between task-oriented manage-
ment accountants and strategic finance directors was reinforced in
our interviews.
The benefits of effective risk management were exemplified by
many interviewees, which included both avoiding downside and
taking advantage of upside opportunities. However, it was
accepted that there was a need culturally to embed risk into organ-
isations as a taken-for-granted practice.
Summary of best practice implications
Institutional investors are likely to value more highly a well-gov-
erned company. Being well governed includes having an effective
risk management system with a risk aware stance.
In the UK, standards of corporate governance are established in the
Combined Code on Corporate Governance, which adopts a ‘comply
or explain’ approach. In the USA, Sarbanes-Oxley is dominant, with
criminal penalties for misleading investors through financial state-ments. In South Africa, the stakeholder approach adopted by the
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 151/189
King Report takes a wider view of governance. Best practice implies
adopting both the spirit and letter of corporate governance regula-
tion. In the UK, the Combined Code requires that boards of directors
identify, evaluate and manage significant risks in their organisations.
The traditional accounting and finance approach to risk uses tech-
niques such as decision trees, probability distributions, cost-vol-
ume-profit analysis, discounted cash flows, investment portfolios,
capital assets pricing model, and hedging techniques to reduce cur-
rency and interest rate exposure. Research has identified the role of
budgets in relation to risk. By excluding some risks and consider-
ing others, the process of constructing a budget was seen to be dif-
ferent to and interpreted separately from the content of the budget
(document) in which there was little evidence of risk modelling or
the use of probabilities.
The value of quantification as a technique for managing risk is not
universally accepted. This is because many risks are not objec-
tively identifiable and measurable but subjective and qualitative.
For example, the risks of litigation, economic downturns, loss of
key employees, natural disasters, and loss of reputation are all sub-
jective judgements. Risk is, therefore, to a considerable extent,
‘socially constructed’ and responses to risk need to reflect the per-
ceptions and social constructions of organisational participants.
Using a broader perspective like this, risk can be thought about by
reference to:
◆ the existence of internal or external events
◆ information about those events (i.e. their visibility)
◆ managerial perception about events and information (i.e. how
they are perceived) and
◆ how organisations establish tacit/informal or explicit/formalways of dealing with risk.
Best practice involves recognizing that information about risks may
be partial and unreliable and that risks are perceived in different
ways. It is important to use the available quantitative tools and tech-
niques where it is appropriate to do so, but to recognize that sub-
jective judgements need to be made as part of considering risk.
Shareholders understand the risk/return trade-off as they invest in
companies and expect boards to achieve a higher return than is
R i s k a n d M
a n a g e m e n t A c c o u n t i n g
122
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 152/189
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 153/189
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 154/189
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 155/189
126
This page intentionally left blank
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 156/189
R e f e r e n c e s
127
Adams J (1995) Risk . London: UCL Press
Beck U (1986, 1992 in translation) Risk Society . London: Sage
Berry AJ, Broadbent J, Otley D (1995) Procedures for control. In
Management Control: Theories, Issues and Practices, (AJ Berry, J
Broadbent, D Otley, eds). London: Macmillan
Berry AJ, Collier PM, Helliar CV (2005) Risk and control: the control of risk
and the risk of control. In Management Control: Theories, Issues and
Performance, 2nd edn, (AJ Berry, J Broadbent, D Otley, eds). Basingstoke:
Palgrave Macmillan, pp. 279–99
Bettis RA, Thomas H (1990) Risk, Strategy, and Management . Greenwich,
Conn: JAI Press
Bhattachayra S, Behara SA, Gunderson DE (2003) Business risk perspec-tives on information systems outsourcing. International Journal of
Accounting Information Systems, 4:75–93
Bussen W, Myers MD (1997) Executive information system failure: a New
Zealand case study. Journal of Information Technology , 12:145–153
Cadbury Code (1992) Report of the Committee on the Financial Aspects of
Corporate Governance: The Code of Best Practice. London: Professional
PublishingChartered Institute of Management Accountants (1999) Corporate
Governance: History, Practice and Future. London: CIMA Publishing
Chartered Institute of Management Accountants (2002) Risk Management:
A Guide to Good Practice. London: CIMA Publishing
Chartered Institute of Management Accountants (2003) Enterprise
Governance: Getting the Balance Right . London: CIMA/IFAC
Chartered Institute of Management Accountants (2005) CIMA Official
Terminology: 2005 edition. Oxford: Elsevier
Collier PM, Agyei-Ampomah S (2005) Management Accounting – Risk and
Control Strategy . Oxford: Elsevier
Collier PM, Berry AJ (2002) Risk in the process of budgeting. Management
Accounting Research, 13:273–297
Committee of Sponsoring Organisations of the Treadway Commission
(COSO) (1992) Internal Control – Integrated Framework
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 157/189
Committee of Sponsoring Organisations of the Treadway Commission
(COSO) (2003) Enterprise Risk Management Framework
Committee of Sponsoring Organisations of the Treadway Commission
(COSO) (2004) Enterprise Risk Management – Integrated Framework
Committee on Corporate Governance (1998) Final Report (HampelCommittee). http://www.ecgi.org/codes/documents/hampel.pdf
Davies D (2002a) Risk management – protecting reputation. Computer Law
and Security Report , 18:414–420
Davies D (2002b) World Trade Centre Lessons. Computer Law and Security
Report , 18:117–119
Douglas M, Wildavsky A (1983) Risk and Culture: An Essay on the
Selection of Technological and Environmental Dangers. Los Angeles:University of California Press
Financial Reporting Council (2003) The Combined Code on Corporate
Governance
Galbraith J (1977) Designing Complex Organizations. Reading, Mass.:
Addison-Wesley Publishing Company
Galbraith JR (1974) Organizational design: an information processing view.
Interfaces, 4:28–36
Greenbury, R. (1995) Directors’ Remuneration: Report of a Study Group
Chaired by Sir Richard Greenbury . http://www.ecgi.org/codes/
documents/greenbury.pdf
Harris EP (1999) Project risk assessment: a European field study. British
Accounting Review , 31:347–371
Harris EP (2000) Strategic investment decision-making: managerial judge-
ment on project risk and return. Journal of Applied Accounting
Research, 5:87–110
Helliar CV, Lonie AA, Power DM, Sinclair CD (2001) Managerial Attitudes
to Risk . Edinburgh: Institute of Chartered Accountants of Scotland
Helliar CV, Lonie AA, Power DM, Sinclair CD (2002) Managerial attitudes
to risk: a comparison of Scottish chartered accountants and UK managers.
Journal of International Accounting, Auditing & Taxation, 11:156–190
R e f e r e n c e s
128
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 158/189
R e f e r e n c e s
129
Higgs, D. (2003) Review of the Role and Effectiveness of Non-executive
Directors. Department of Trade and Industry http://www.dti.gov.
uk/files/file23012.pdf?pubpdfdload=03%2F636
Hofstede G (1980) Culture’s Consequences: International Differences in
Work Related Values. Beverly Hills: Sage Publications
Institute of Chartered Accountants in England & Wales (1999) Internal
Control: Guidance for Directors on the Combined Code, (Turnbull Report)
Institute of Risk Management (2002) A Risk Management Standard .
London: IRM
International Federation of Accountants (1999) Enhancing Shareholder
Wealth by Better Managing Business Risk. Rep. International
Management Accounting Study No. 9
Jiang JJ, Klein G (1999) Risks to different aspects of systems success.
Information and Management , 36:263–272
Knight, F.H. (1921). Risk, Uncertainty, and Profit . Boston MA, Houghton
Mifflin Co.
KPMG (2003) Programme Management Survey 2002–3. http://www.kpmg.
com.au/Portals/0/irmprm_pm-survey2003.pdf
Kumar RL (2002) Managing risks in IT projects; an options perspective.Information and Management , 40:63–74
Liebenberg AP, Hoyt RE (2003) The determinants of enterprise risk man-
agement: evidence from appointment of chief risk officers. Risk
Management and Insurance Review , 6:1
March JG, Shapira Z (1987) Managerial perspectives on risk and risk tak-
ing. Management Science, 33:1404–1418
Marshall C, Prusak L, Shpilberg D (1996) Financial risk and the need for supe-
rior knowledge management. California Management Review 38:77–101
McGoun EG (1995) The history of risk ‘measurement’. Critical Perspectives
on Accounting , 6:511–532
McKinsey & Co (2006) McKinsey on Finance. No. 18 http://corporatefinance.
mckinsey.com/_downloads/knowledge/mckinsey_on_finance/MoF_Issue_
18.pdf
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 159/189
Miller R, Lessard D (2001) Understanding and managing risks in large
engineering projects. International Journal of Project Management ,
19:437–443
Parker LD (2001) Back to the future: the broadening accounting trajectory.
British Accounting Review , 33: 421–453
Scapens RW, Ezzamel M, Burns J, Baldvinsdottir G (2003) The Future
Direction of UK Management Accounting Practice. Oxford: Elsevier
Shrivastava P (1993) The greening of business. In Business and the
Environment: Implications of the new Environmentalism, (D Smith, ed.).
London: Paul Chapman Publishing
Smith, R. (2003) Audit Committees: Combined Code Guidance. Financial
Reporting Council http://www.frc.org.uk/images/uploaded/documents/
ACReport.pdf
Solomon JF, Solomon A, Norton SD (2000) A conceptual framework for
corporate risk disclosure emerging from the agenda for corporate gover-
nance reform. British Accounting Review , 32: 447–478
Spira LF, Page M (2003) Risk management: The reinvention of internal con-
trol and the changing role of internal audit. Accounting, Auditing &
Accountability Journal , 16:640–661
Treadway Commission (1987) Report of the National Commission on
Fraudulent Financial Reporting . http://www.coso.org/NCFFR.pdf
Weber EU, Hsee C (1998) Cross-cultural differences in risk perception, but
cross-cultural similarities in attitudes towards perceived risk.
Management Science, 44:1205–1217
Weber EU, Milliman RA (1997) Perceived risk attitudes: relating risk per-
ception to risky choice. Management Science, 43:123–144
R e f e r e n c e s
130
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 160/189
Appendix 1
131
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 161/189
132
This page intentionally left blank
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 162/189
A
p p e n d i x 1
133
Section 1. About you
Years worked in current role:
< 2 years 2-5 y ears 5-10 years 10-15 years >15 years
1.1 Current job title:
Refuse to Prefer not Willing to Keen to
take risks to take risks Neutral take risks take risks
Reduced Reduced Not Increased Increased
significantly a little changed a little significantly
1.4 To what extent do you personally agree/disagree Strongly Strongly
with the following statements about risk management: disagree Disagree Neutral Agree agree
i. Risk management is about avoiding negative consequences
ii. Risk management is about achieving positive consequences
iii. Risk management should be more a matter of personal judgement
iv.
None 1-19% 20-39% 40-59% 60-79% 80-100%
(a) Insufficient About right Too involved No view
(b) Increasing Not changing Decreasing No view
Section 2. Your organisation
No Yes Parent Subsidiary
(Go to 2.2) (Go to 2.1)
Listed PLC Manufacturer/construction < £3m < 250
Unlisted PLC Retail/distribution £3m - £11m 250 - 1 000
Limited company Finance/ insurance £11 - £50m 1 001 - 3 000
Not-for-profit Services £50m - £100m 3 001 - 5 000
Public sector Other £100m - £500m 5 001 - 10 000
> £500m > 10 00 0
Very low Low Medium High Very high
i. Competitive intensity in your industry/sector
ii. Uncertainty in your industry/sector environment
iii. Risk faced by your organisation
iv. Risk faced within your industry/sector
2.1 Please indicate where your
organisation sits within the group:
2.4. Approximate company
turnover (£m):
2.5. Approximate
number of employees:
2.6 What is the degree of:
2.3. Which best describes the
nature of your business:
2.2. What is the ownership
structure of your organisation:
1.2 How would you describe your personal propensity to
take risks:
1.3 Over the last two years, has your personal propensity to
take risks:
2.0. Is your organisation part
of a group of companies:
1.5 What proportion of your work time is spent dealing
with risk management:
Risk management should be handled through a formal control
system that identifies, manages and reports risk
1.6 Do you personally feel that your level of involvement in
risk management is:
The information in your reply will be retained in strict confidence
Risk Management Questionnaire
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 163/189
Decreasing Decreasing Not Increasing Increasing
2.7 To what extent is: rapidly slowly changing slowly rapidly
i. Competitive intensity in your industry/sector
ii. Uncertainty in your industry/sector environment
iii. Risk faced by your organisation
iv. Risk faced within your industry/sector
disagree Disagree Agree agree
i. Legislation (including Combined Code and Turnbull Report)
ii. Regulatory bodies
iii. Expectations of shareholders/analysts
iv. The competitive business environment
v. Customers/clients who demand it
vi. A critical event or near miss
vii. Board/top management
viii. Are there other drivers of risk management in your organisation? Yes (Please describe below) No
Strongly
disagree Disagree Agree agree
i. Your organisation has an effective risk management policy
ii. Risks are well understood throughout your organisation
iii. Controlling risk is highly centralised within your organisation
iv. Your organisation regularly reviews internal controls
v. Risk management is embedded in your organisation's culture
vi. Formal procedures are in place for reporting risks
vii. The level of internal control is appropriate for the risks faced
viii. Your organisation is effective at prioritising risks
ix. Changes to risks are assessed and reported on an ongoing basis
Refuse to Prefer not Willing to Keen to
take risks to take risks Neutral take risks take risks
Reduced Reduced Not Increased Increased
significantly a little changed a little significantly
disagree Disagree Neutral Agree agree
i. About avoiding negative consequences
ii. About achieving positive consequences
iii. More a matter of personal judgement
iv.
i ii iiiHistorical approach Current Planned approach
2 years ago approach next 2 years
. One . One . One
Risk is not considered
Risk is considered tacitly, but not documented or formally managed
Risk is considered and formally documented in a systematic way
Risk is considered, documented and used to aid decision-making throughout the business
2.12 To what extent do you agree/disagree that risk
management in your organisation is:
Handled through a formal control system that identifies,
manages and reports risk
2.10 How would you describe your organisation's
propensity to take risks:
2.11 Over the last two years, has your organisation's
propensity to take risks:
2.8 To what extent do you agree/disagree that the
following are drivers of risk management in your
organisation:
2.9 To what extent do you agree/disagree with the
following statements:
2.13 Of the four approaches set out below, which ONE statement best
describes your organisations: i) historical, ii) current and
iii) planned approach to risk management:
Strongly
Strongly Strongly
Strongly Strongly
Neutral
Neutral
A p p e n d i x
1
134
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 164/189
A
p p e n d i x 1
(a) (b) (c) (d)
Identifying Analysing & Deciding on risk Reporting &
risks assessing risks management action monitoring risk
i. CEO/managing director
ii. The board/audit committee
iii. Director of finance
iv. Internal audit
v. Risk manager or similar post
vi. Management accountantvii. Line managers
viii. Other (please specify below)
Strongly Strongly
Strongly Strongly
disagree Disagree Agree agree
i. Shareholders/analysts
ii. Suppliers
iii. Customers
iv. Banks/financiers
disagree Disagree Neutral Agree agree
(a) Insufficient About right Too involved No view
(b) Increasing Not changing Decreasing No view
2.18 To what extent are the following methods:
Low Med High Low Med High
1 2 3 4 5 1 2 3 4 5
i. Experience, intuition, hindsight, judgement
ii. Brainstorming, scenario analysis, PEST or SWOT analysis
iii. Interviews, surveys, questionnaires
iv. Likelihood/consequences matrix
v. Use of auditors or external consultants
vi. Stochastic modelling, statistical analysis
vii. Risk management software
viii. Monitoring risks using a risk register or written reports
ix. Other (please specify below)
Not At the Subsequent Not at all Fully
considered start Throughout review 1 2 3 4 5
i. Strategic plans
i i. Budgets
iii. Operational plans
iv. Project management
v. One-off events (e.g. mergers)
vi. Capital investment
2.14 Who in your organisation is
primarily accountable for:
2.15 To what extent do you agree/disagree that the
following are involved in your organisation's risk
management:
(b) Effective in helping your
organisation to manage risk:
(a) Used by your organisation
to manage risk:
2.16 To what extent do you agree/disagree that
your organisation's management accounting and
risk management functions are integrated:
2.17 In terms of risk management, do you feel that the
level of involvement of management accounting in your
organisation is:
(b) To what extent are risks
identified and factored in:
2.19 When formulating the
following plans:
(a) Where is risk considered in the process:
Neutral
135
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 165/189
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 166/189
Appendix 2
137
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 167/189
138
This page intentionally left blank
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 168/189
A
p p e n d i x 2
139
Appendix 2 contains more detailed statistical information in rela-
tion to those tables in Chapter 3 which contain only mean and
standard deviation data.
T 3.4 Competitive intensity, uncertainty and risk
a) What is the degree of competitive
intensity in your industry/sector Very low Low Medium High Very high
Total sample 8.2% 9.7% 23.0% 35.8% 23.3%
CIMA 11.3% 11.3% 23.8% 32.1% 21.7%
FTSE 0.0% 8.2% 22.4% 42.9% 26.5%
SME 0.0% 2.4% 19.5% 48.8% 29.3%
b) What is the degree of uncertainty in
your industry/sector environment Very low Low Medium High Very high
Total sample 0.9% 16.7% 33.3% 37.0% 12.1%
CIMA 1.3% 19.6% 31.3% 36.7% 11.3%
FTSE 0.0% 8.2% 36.7% 42.9% 12.2%
SME 0.0% 9.8% 41.5% 31.7% 17.1%
c) What is the degree of risk faced
by your organisation Very low Low Medium High Very high
Total sample 0.6% 9.1% 43.5% 37.8% 9.1%
CIMA 0.8% 10.8% 39.2% 40.4% 8.8%
FTSE 0.0% 2.0% 56.0% 28.0% 14.0%
SME 0.0% 7.3% 53.7% 34.1% 4.9%
d) What is the degree of risk faced
within your industry/sector Very low Low Medium High Very high
Total sample 0.0% 9.4% 40.5% 41.1% 9.1%
CIMA 0.0% 10.4% 39.0% 42.7% 7.9%
FTSE 0.0% 6.1% 40.8% 38.8% 14.3%
SME 0.0% 7.3% 48.8% 34.1% 9.8%
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 169/189
T 3.5 Drivers of risk management
a) Legislation (including Combined
Code) is a driver of risk management Strongly Strongly
in your organisation: disagree Disagree Neutral Agree agree
Total sample 0.9% 7.0% 20.4% 55.9% 15.8%CIMA 0.8% 5.9% 22.3% 54.6% 16.4%
FTSE 2.0% 14.0% 12.0% 54.0% 18.0%
SME 0.0% 4.9% 19.5% 65.9% 9.8%
b) Regulatory bodies drive risk Strongly Strongly
management in the organisation: disagree Disagree Neutral Agree agree
Total sample 0.6% 6.4% 24.3% 50.8% 17.9%
CIMA 0.4% 5.9% 24.4% 50.8% 18.5%FTSE 2.0% 12.0% 20.0% 52.0% 14.0%
SME 0.0% 2.4% 29.3% 48.8% 19.5%
c) Expectations of shareholders/
analysts drive risk management Strongly Strongly
in the organisation: disagree Disagree Neutral Agree agree
Total sample 5.5% 12.3% 31.6% 43.3% 7.4%
CIMA 6.0% 14.0% 33.2% 38.7% 8.1%
FTSE 6.0% 4.0% 14.0% 70.0% 6.0%
SME 2.4% 12.2% 43.9% 36.6% 4.9%
d) The competitive business
environment drives risk management Strongly Strongly
in the organisation: disagree Disagree Neutral Agree agree
Total sample 1.5% 6.1% 21.6% 60.8% 10.0%
CIMA 2.1% 5.4% 22.2% 60.7% 9.6%
FTSE 0.0% 12.0% 24.0% 50.0% 14.0%
SME 0.0% 2.5% 15.0% 75.0% 7.5%
e) Customers/clients who demand it
drive risk management in the Strongly Strongly
organisation: disagree Disagree Neutral Agree agree
Total sample 1.8% 12.2% 29.6% 46.3% 10.1%
CIMA 0.8% 8.8% 29.8% 47.9% 12.6%
FTSE 8.2% 20.4% 34.7% 36.7% 0.0%
SME 0.0% 22.0% 22.0% 48.8% 7.3%
A p p e n d i x
2
140
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 170/189
A
p p e n d i x 2
141
f) A critical event or near miss was
the driver for risk management in Strongly Strongly
the organisation: disagree Disagree Neutral Agree agree
Total sample 0.9% 16.1% 27.1% 40.1% 15.8%
CIMA 1.3% 13.4% 27.7% 39.1% 18.5%
FTSE 0.0% 30.0% 26.0% 38.0% 6.0%
SME 0.0% 14.6% 24.4% 48.8% 12.2%
g) Board/top management drive risk Strongly Strongly
management in the organisation: disagree Disagree Neutral Agree agree
Total sample 0.0% 3.3% 24.0% 58.1% 14.6%
CIMA 0.0% 3.4% 24.4% 58.8% 13.4%
FTSE 0.0% 4.0% 22.0% 56.0% 18.0%
SME 0.0% 2.4% 24.4% 56.1% 17.1%
T 3.6 Stakeholder involvement in risk management
a) Shareholders /analysts are
involved in your organisation’s Strongly Strongly
risk management disagree Disagree Neutral Agree agree
Total sample 18.7% 32.0% 21.2% 24.1% 4.1%
CIMA 18.9% 33.5% 20.7% 22.5% 4.4%
FTSE 18.8% 25.0% 31.3% 22.9% 2.1%
SME 17.1% 31.7% 12.2% 34.1% 4.9%
b) Suppliers are involved in your Strongly Strongly
organisation’s risk management disagree Disagree Neutral Agree agree
Total sample 14.3% 33.2% 26.4% 24.8% 1.2%
CIMA 12.1% 35.8% 27.6% 23.3% 1.3%FTSE 22.4% 20.4% 28.6% 26.5% 2.0%
SME 17.1% 34.1% 17.1% 31.7% 0.0%
c) Customers are involved in your Strongly Strongly
organisation’s risk management disagree Disagree Neutral Agree agree
Total sample 9.3% 19.2% 21.7% 45.8% 4.0%
CIMA 7.3% 21.9% 20.6% 45.5% 4.7%
FTSE 14.3% 14.3% 30.6% 38.8% 2.0%SME 14.6% 9.8% 17.1% 56.1% 2.4%
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 171/189
d) Banks/financiers are involved in Strongly Strongly
your organisation’s risk management disagree Disagree Neutral Agree agree
Total sample 10.3% 21.5% 26.5% 37.7% 4.0%
CIMA 9.1% 24.1% 27.6% 33.6% 5.6%
FTSE 14.3% 10.2% 26.5% 49.0% 0.0%
SME 12.5% 20.0% 20.0% 47.5% 0.0%
T 3.7 Propensity to take risks
a) How would you describe your Refuse to Prefer not Willing to Keen to
personal propensity to take risks: take risks take risks Neutral take risks take risks
Total sample 0.9% 30.3% 23.7% 43.8% 1.2%
CIMA 1.2% 35.5% 24.0% 38.0% 1.2%
FTSE 0.0% 10.0% 26.0% 62.0% 2.0%
SME 0.0% 24.4% 19.5% 56.1% 0.0%
b) How would you describe your Refuse to Prefer not Willing to Keen to
organisation’s propensity to take risks take risks take risks Neutral take risks take risks
Total sample 0.9% 39.4% 17.3% 40.6% 1.8%
CIMA 1.3% 44.4% 16.3% 36.8% 1.3%
FTSE 0.0% 22.0% 20.0% 52.0% 6.0%
SME 0.0% 31.7% 19.5% 48.8% 0.0%
T 3.8 Changing propensity to take risks
a) Over the last two years, has your Reduced Reduced Not Increased Increasedpersonal propensity to take risks: significantly a little changed a little significantly
Total sample 2.7% 20.7% 45.9% 28.8% 1.8%
CIMA 2.5% 19.0% 43.0% 33.9% 1.7%
FTSE 2.0% 28.0% 54.0% 14.0% 2.0%
SME 4.9% 22.0% 53.7% 17.1% 2.4%
A p p e n d i x
2
142
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 172/189
A
p p e n d i x 2
143
b) Over the last two years, has your Reduced Reduced Not Increased Increased
organisation’s propensity to take risks: significantly a little changed a little significantly
Total sample 3.0% 18.4% 44.1% 30.5% 3.9%
CIMA 2.9% 17.1% 41.7% 35.0% 3.3%
FTSE 4.0% 22.0% 58.0% 14.0% 2.0%
SME 2.4% 22.0% 41.5% 24.4% 9.8%
T 3.12 Supporting processes and culture
a) Your organisation has an effective Strongly Strongly
risk management policy disagree Disagree Neutral Agree agree
Total sample 1.2% 14.8% 26.1% 48.8% 9.1%
CIMA 1.3% 17.5% 27.9% 44.6% 8.8%
FTSE 2.0% 4.1% 14.3% 65.3% 14.3%
SME 0.0% 12.2% 29.3% 53.7% 4.9%
b) Risks are well understood Strongly Strongly
throughout your organisation disagree Disagree Neutral Agree agree
Total sample 2.4% 18.5% 27.3% 48.5% 3.3%
CIMA 3.3% 20.8% 27.5% 44.6% 3.8%
FTSE 0.0% 14.3% 22.4% 61.2% 2.0%
SME 0.0% 9.8% 31.7% 56.1% 2.4%
c) Controlling risk is highly Strongly Strongly
centralised within your organisation disagree Disagree Neutral Agree agree
Total sample 4.5% 25.8% 20.6% 42.7% 6.4%
CIMA 2.9% 22.1% 23.8% 43.8% 7.5%
FTSE 14.3% 32.7% 14.3% 36.7% 2.0%
SME 2.4% 39.0% 9.8% 43.9% 4.9%
d) Your organisation regularly Strongly Strongly
reviews internal controls disagree Disagree Neutral Agree agree
Total sample 1.2% 9.1% 14.9% 62.0% 12.8%
CIMA 1.7% 10.5% 15.5% 59.4% 13.0%
FTSE 0.0% 0.0% 14.3% 75.5% 10.2%
SME 0.0% 12.2% 12.2% 61.0% 14.6%
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 173/189
e) Risk management is embedded in Strongly Strongly
your organisation’s culture disagree Disagree Neutral Agree agree
Total sample 4.2% 21.2% 28.8% 39.1% 6.7%
CIMA 4.6% 22.5% 28.3% 37.9% 6.7%
FTSE 4.1% 12.2% 34.7% 40.8% 8.2%
SME 2.4% 24.4% 24.4% 43.9% 4.9%
f) Formal procedures are in place Strongly Strongly
for reporting risks disagree Disagree Neutral Agree agree
Total sample 2.4% 15.8% 19.5% 53.2% 9.1%
CIMA 3.3% 17.2% 21.8% 48.5% 9.2%
FTSE 0.0% 8.2% 12.2% 69.4% 10.2%
SME 0.0% 17.1% 14.6% 61.0% 7.3%
g) The level of internal control is Strongly Strongly
appropriate for the risks faced disagree Disagree Neutral Agree agree
Total sample 0.9% 15.5% 23.6% 55.8% 4.2%
CIMA 1.3% 17.9% 25.8% 51.7% 3.3%
FTSE 0.0% 8.2% 20.4% 69.4% 2.0%
SME 0.0% 9.8% 14.6% 63.4% 12.2%
h) Your organisation is effective at Strongly Stronglyprioritising risks disagree Disagree Neutral Agree agree
Total sample 2.7% 15.8% 36.1% 42.7% 2.7%
CIMA 3.3% 17.9% 38.8% 37.5% 2.5%
FTSE 2.0% 10.2% 30.6% 55.1% 2.0%
SME 0.0% 9.8% 26.8% 58.5% 4.9%
i) Changes to risks are assessed and Strongly Strongly
reported on an ongoing basis disagree Disagree Neutral Agree agree
Total sample 2.4% 17.6% 22.2% 52.3% 5.5%
CIMA 2.5% 20.5% 24.7% 48.1% 4.2%
FTSE 4.1% 6.1% 14.3% 67.3% 8.2%
SME 0.0% 14.6% 17.1% 58.5% 9.8%
A p p e n d i x
2
144
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 174/189
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 175/189
T 3.18 Consequences of risk management
a) To what degree has risk management No Some Significant
improved performance and or improvement improvement improvement
outcomes in: Corporate planning 1 2 3 4 5
Total sample 9.6% 20.1% 47.9% 20.8% 1.6%CIMA 10.8% 22.0% 46.6% 19.3% 1.3%
FTSE 6.0% 12.0% 56.0% 24.0% 2.0%
SME 7.5% 20.0% 45.0% 25.0% 2.5%
No Some Significant
b) Improved resource allocation improvement improvement improvement
and utilisation 1 2 3 4 5
Total sample 9.7% 24.1% 42.3% 21.3% 2.5%
CIMA 10.5% 24.0% 41.0% 22.7% 1.7%
FTSE 8.0% 28.0% 40.0% 20.0% 4.0%
SME 7.5% 20.0% 52.5% 15.0% 5.0%
No Some Significant
c) Improved management reporting improvement improvement improvement
1 2 3 4 5
Total sample 9.1% 16.9% 39.2% 29.2% 5.6%
CIMA 10.5% 19.2% 40.2% 25.8% 4.4%
FTSE 8.0% 12.0% 40.0% 30.0% 10.0%
SME 2.5% 10.0% 32.5% 47.5% 7.5%
No Some Significant
d) Improved communication improvement improvement improvement
within the organisation 1 2 3 4 5
Total sample 13.2% 24.5% 37.1% 22.6% 2.5%
CIMA 14.0% 27.9% 35.8% 20.5% 1.7%FTSE 14.3% 22.4% 40.8% 20.4% 2.0%
SME 7.5% 7.5% 40.0% 37.5% 7.5%
No Some Significant
e) Improved relationships improvement improvement improvement
with shareholders 1 2 3 4 5
Total sample 27.5% 28.5% 28.5% 13.7% 1.8%
CIMA 27.1% 27.6% 29.6% 13.6% 2.0%
FTSE 31.9% 23.4% 25.5% 19.1% 0.0%
SME 23.7% 39.5% 26.3% 7.9% 2.6%
A p p e n d i x
2
146
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 176/189
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 177/189
No Some Significant
k) Improved employee confidence improvement improvement improvement
in carrying out their duties 1 2 3 4 5
Total sample 13.1% 27.8% 37.5% 20.0% 1.6%
CIMA 14.3% 30.4% 33.9% 19.6% 1.7%
FTSE 12.0% 24.0% 52.0% 12.0% 0.0%
SME 7.5% 17.5% 40.0% 32.5% 2.5%
l) Are there any other improvements
or benefits that have been realised Yes No
Total sample 9.5% 90.5%
CIMA 5.8% 94.2%
FTSE 28.6% 71.4%
SME 8.7% 91.3%
m) RM practices employed in your
organisation have delivered
benefits that exceed the cost of Strongly Strongly
those practices disagree Disagree Neutral Agree agree
Total sample 2.1% 7.6% 39.8% 44.1% 6.4%
CIMA 2.1% 8.8% 41.0% 42.7% 5.4%
FTSE 4.0% 6.0% 32.0% 46.0% 12.0%
SME 0.0% 2.5% 42.5% 50.0% 5.0%
T 3.19 Risk management options employed
a) Transferring the risk using insurance,
hedging, contracts, joint ventures or Low Medium High
partnerships, etc 1 2 3 4 5
Total sample 16.4% 11.9% 30.4% 28.9% 12.5%
CIMA 19.7% 12.2% 31.1% 24.4% 12.6%
FTSE 4.0% 8.0% 26.0% 42.0% 20.0%
SME 12.0% 14.6% 31.7% 39.0% 2.4%
A p p e n d i x
2
148
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 178/189
A
p p e n d i x 2
149
b) Decreasing the likelihood of the
risk through management action
e.g.quality management, project Low Medium High
management, R&D, training, etc. 1 2 3 4 5
Total sample 2.4% 8.8% 29.1% 44.5% 15.2%
CIMA 3.3% 9.6% 32.2% 40.6% 14.2%
FTSE 0.0% 4.0% 22.0% 54.0% 20.0%SME 0.0% 9.8% 19.5% 56.1% 14.6%
c) Decreasing adverse consequences
of the risk using contingency,
business continuity, fraud Low Medium High
control plans, etc. 1 2 3 4 5
Total sample 5.8% 16.7% 32.8% 36.5% 8.2%
CIMA 7.1% 18.1% 31.9% 33.2% 9.7%
FTSE 2.0% 10.0% 36.0% 44.0% 8.0%
SME 2.4% 17.1% 34.1% 46.3% 0.0%
T 3.20 Perceived effectiveness of risk management approaches
a) Effectiveness of transferring the Low Medium High
risk using insurance etc. 1 2 3 4 5
Total sample 15.4% 13.5% 29.2% 31.1% 10.8%
CIMA 19.5% 10.6% 29.7% 30.5% 9.7%
FTSE 0.0% 28.6% 18.4% 32.7% 20.4%
SME 10.0% 12.5% 40.0% 32.5% 5.0%
b) Effectiveness of decreasing the
likelihood of the risk through Low Medium High
management action etc. 1 2 3 4 5
Total sample 3.4% 8.6% 37.0% 38.5% 12.5%
CIMA 3.8% 9.3% 39.7% 37.1% 10.1%
FTSE 2.0% 2.0% 28.0% 46.0% 22.0%
SME 2.5% 12.5% 32.5% 37.5% 15.0%
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 179/189
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 180/189
Index
151
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 181/189
152
This page intentionally left blank
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 182/189
I n d e x
153
Accountability, 20see also Corporate governance
Accountantsrisk management, 40–1, 60–2, 85–8,
102–4, 105–7, 109–10, 113–16,119–23
see also Financial...; Management...
Accounting reports, ownership issues, 21,87Accounting textbooks, risk, 6, 27Action decisions, risk management, 60–73,
84–95Activism, shareholders, 5, 50–2, 71–2,
80–2, 117Adams, J, 15–16, 17–18, 23, 38, 66, 99–100,
108–9Added value, 10, 20, 81–2, 120, 123Agendas, board meetings, 79Alpha, risk management, 70–3
Alternative Investment Market, 42Analysis of variance (ANOVA), 45, 68–9Ansett Airlines, 4Appendices, 131–50Arthur Andersen, 4–5Auditing and inspection, risk
identification, 11, 60–2, 102–4Auditors, corporate governance, 3–5, 20,
81–2Australia, scandals, 4
Bank of Commerce & Credit International
(BCCI), 4, 5Basic methods, concepts, 44–5, 58–60,
67–73, 83–5, 101–7, 117–23BCCI see Bank of Commerce & Credit
InternationalBeck, U, 14Benchmarking, risk identification, 11Berry, AJ, 16–17, 19–20, 27, 28Best practice implications, 111–23Beta, risk management, 70–3, 103, 105,
120
Bias, respondents, 38Boards of directorscorporate governance, 3–5, 18–19,
49–52, 71–2, 80–2, 101–7, 113–16,122–3
enterprise risk management, 13,113–14
meetings, 79responsibilities, 3, 13, 79–95, 114–16risk management, 49–52, 71–2, 77–95,
101–7risk reporting, 12–13
see also DirectorsBrainstorming, 11–12, 59, 81
Budgets, 9, 16–17, 21, 27–34, 78, 87,100–1, 115–16, 122
case studies, 27–34, 100–1, 115–16concepts, 21, 27–34, 78, 87, 100–1,
115–16, 122current practices, 21flexibility, 21, 100–1
process and content, 27–34, 100–1, 116,122risk, 27–34, 78, 87, 100–1, 115–16, 122rolling forecasts, 21, 78, 116types, 27, 29–30, 32–4, 78, 100–1, 116
‘Buffer’ inventories, 9Business risk, 6, 7, 77–9Business sector
case studies, 28, 100–1, 115–16see also Organisations
Business strategy, management accounting,20–3, 99–100, 113–16, 120
The Cadbury Report , 5Capabilities, 21Capital asset pricing model, 6, 122Capital markets see Financial marketsCase studies, 25–34, 37–8, 100–1, 115–16Cash flow, 7Chartered Institute of Management
Accountants (CIMA), 5, 21–2, 28,42–73, 113, 115, 117, 119
Corporate Governance: History, Practiceand Future, 21–2
Enterprise Governance: Getting theBalance Right , 5, 22, 113
surveyed CIMA accountants, 42–73Checklists, risk identification, 11Chi square tests, 45, 52, 70CIMA see Chartered Institute of
Management AccountantsCollectivist cultures, 15Collier, PM, 16–17, 28Combined Code on Corporate Governance
(Financial Reporting Council, 2003),
3–5, 7, 18–19, 23, 34, 89–90, 106,113–15, 121–2Committee of Sponsoring Organisations
(COSO) of the Treadway Commission,4, 13, 19, 22, 113, 115
Communications, internal controls, 19–20,115–16
Competition, risk management drivers,49–51, 80–2, 101–7, 117
Complianceregulations, 18, 39–40, 50–1, 78–9, 80–3,
86–7, 90–1, 94, 101–7, 109, 118–23
‘tick-box’ compliance approach, 81–3,90–1, 94, 103, 121
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 183/189
Control procedures, 9Controls
concepts, 4–5, 7, 9, 18–23, 55–73, 80–2,102–7, 108–10, 113–16
excessive controls, 108–9, 115, 123‘illusion of control’, 113, 115management accounting, 20–3, 60–2,
85–8, 99–100, 102–4, 115–16, 119–20,123risk of control, 108–9, 115, 123see also Internal controls
Corporate governanceCombined Code on Corporate
Governance (Financial ReportingCouncil, 2003), 3–5, 7, 18–19, 23, 34,89–90, 106, 113–15, 121–2
concepts, 3–5, 7, 18–23, 34, 37–73, 80–2,90–4, 101–7, 109, 113–23
core issues, 4–5
definition, 3financial markets, 4–5, 70–1, 81–2, 120management accounting, 20–3, 115–16,
123media coverage, 4reports, 3, 5, 91, 113, 121–2risk management driver, 50–73, 80–2,
90–4, 101–7, 113–23Turnbull Guidance on internal control
(Institute of Chartered Accountants inEngland and Wales, 1999), 5, 7,18–19, 34, 37, 80–2, 89, 106, 109,
113UK, 3–5, 7, 18–19, 23, 34, 89–90, 91,
106, 113–15, 121–2Corporate Governance: History, Practice
and Future (CIMA), 21–2Corporate objectives, 10, 93, 123Corporate social responsibility, 93COSO see Committee of Sponsoring
OrganisationsCost-benefit analysis, 11–12, 40–1, 65–73,
88–90
Cost-volume-profit analysis, 6, 122Credit ratings, 93Crisis, 14Cronbach’s alpha coefficient, 43–7Cultural issues
risk management, 13, 15–16, 39–73,82–3, 87–8, 90–4, 99–100, 103–4,106–8, 113–16, 118–23
survey, 39–73, 82–3, 90–4, 101–7,118–23
Currency risk, 6, 122Customers, risk management drivers, 50–2,
80–2, 117
Databases, impacts, 21, 84–5Decentralised accounting knowledge,
impacts, 21, 115–16, 119Decision making
knowledge, 19–20, 115–16, 119lateral relations, 9, 22–3, 99–100management accounting, 20–3, 60–2,
85–8, 99–100, 102–4, 115–16,119–20, 123risk management, 57–73, 82–3, 90–4,
101–7, 118–23Decision trees, 6, 11, 122Delphi method, 11–12Demographics, 49, 52, 106–7Dependency modelling, 11Design, survey, 37–41Directors, 3–5, 12–13, 18–19, 49–52,
71–2, 77–95, 101–7, 113–16, 122–3corporate governance, 3–5, 18–19,
49–52, 71–2, 80–2, 101–7, 113–16,122–3
see also BoardsDisclosures, corporate governance, 3–5Discounted cash flow, 6, 122Diversification
concepts, 12–13see also Portfolio theory
Domains, risk, 27, 29–34, 100–1, 115–16Douglas, M, 14, 15–16, 17, 23, 38, 66, 99,
107–8Due diligence, 90
DuPont, 91
Earningsprofits, 3, 6, 80–2, 92–3, 113short-term profits, 3sustainability, 3
Economic risk, 13–14Effectiveness, 18–19, 41–73, 81–2, 83–5,
88–9, 103–4, 106–7, 114–16Efficiency, 18–19, 20–3Egalitarians
rationalities, 17–18, 23, 38, 66–73, 100,105–8, 117–23see also Risk awareness
Enhancing Shareholder Wealth by Better Managing Business Risk (IFAC), 6
Enron, 4, 91Enterprise Governance: Getting the Balance
Right (CIMA 2003), 5, 22, 113Enterprise risk management
definition, 13, 113–14see also Risk management
Enterprise Risk Management (COSO
2003/2004), 4, 13, 19, 22, 113, 115
I n d e x
154
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 184/189
I n d e x
155
Entrepreneurs, 17–18concepts, 17–18, 66–73, 100, 105–7,
123see also Individualists
Environmental issues, concepts, 7, 37–8,49–50, 80–2, 101–7, 118–23
Event uncertainty
concepts, 8–9, 77–9, 107–8see also RiskEvent-identification component, internal
controls, 19–20, 77–9, 99–100,115–16, 122–3
Events, risk definitions, 5–8, 77–9, 99–100,107–8, 122–3
Experience, 16–18, 84–5, 94, 103–7,114–15, 117–23
Explicit (formal) risk measures, 14, 23,57–8, 82–3, 99–100, 101–9, 116–23
Exploratory case studies see Case studies
External drivers, risk, 7–8, 14–15, 23,37–73, 80–2, 86–7, 94, 99–109, 117,119–23
Factor analysis, 43–7, 107Failure mode and effect analysis (FMEA), 11FAME, 42Fatalists
rationalities, 17–18, 23, 38, 66–73, 100,105–8, 117–23
see also Risk scepticsFault tree/event tree analysis, 11
Feedback/feed forward-type loops, 13–14Finance directors, 87–8, 103–4, 117–19,
121Financial accountants, risk management,
40–1, 60–2, 72–3, 85–8, 105–7Financial markets, 4–5, 69–73, 81–2, 103,
105, 120corporate governance, 4–5, 70–1, 81–2,
120risk, 69–73, 120
Financial plans see Budgets
Financial reporting, 20–1, 38–9, 87, 93Financial Reporting Council, 3–5, 7, 18–19,23, 34, 89–90, 106, 113–15, 121–2
Financial risk, concepts, 7, 29–34, 88–9,100–1, 120
Fish bone analysis, risk identification, 11Flexibility, 19–20, 21, 100–1, 108–9,
115–16, 123FMEA see Failure mode and effect analysisFour rationalities, concepts, 17–18, 23,
66–73, 100, 105–8, 117–23Fraud and Risk Management Working
Group (CIMA), 22
Fraudulent Financial Reporting (TreadwayCommission), 4
FTSE quoted companies, survey, 42–73,77–95, 101–7, 118–23
The Future Direction of UK Management Accounting Practice (Scapens), 20–1
Gains, risk, 7–8, 10–13Galbraith, J, 8–9, 22, 99, 107General meetings, shareholders, 3Germany, 91Goal setting, 8–9The Greenbury Report , 5Gross risk, 81Group constructs, survey, 43–8
Harris, EP, 16–17Hazard and operability studies (HAZOP), 11Hazards, 7–8, 11, 114, 123
Hedging techniques, 6, 13, 17–18, 64–5, 73,102, 105–7, 122
see also Risk sharingHelliar, CV, 16, 37, 107Heuristic methods, risk management, 55,
58–60, 66, 72, 101–2, 104–9, 116–23Hierarchists, rationalities, 17–18, 23,
66–73, 100, 105–7, 117–23HIH, 4Hofstede, G, 15, 99Holistic approaches, risk management,
10–12, 34, 57–8, 101–4, 118–23
Hsee, C, 15Human capabilities, procedures, 16–17Human reliability analysis, 11
IBM, 15IFAC see International Federation of
Accountants‘Illusion of control’, 113, 115Incident investigation, risk identification,
11Individualistic cultures, 15
Individualistsrationalities, 17–18, 23, 66–73, 100,105–7, 117–23
see also EntrepreneursInformation
internal controls, 19–20, 115–16, 119,122–3
management accounting, 20–3, 99–100,113–16, 119, 123
uncertainty concepts, 8–9, 22–3, 99–100Information systems, 7, 9, 22–3, 99–100
vertical information systems, 9, 22–3,
99–100
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 185/189
Institute of Chartered Accountants inEngland and Wales, 5, 7, 18–19, 34,37, 80–2, 89, 106, 113
Institute of Risk Management, 6, 7, 10, 22,113
Institutional investors, 3–5, 29, 50–2,78–82, 117, 121–3
activism, 5, 50–2, 71–2, 80–2, 117,121–2corporate governance, 3–5, 29, 50–2,
80–2, 101–7, 117, 121–2see also Shareholders
Insurance, 12–13, 64–5, 73, 102, 105–7see also Risk financing
Intangible assets, management accounting,20–3
Integrated Framework (COSO 2004), 13,113
Integrity
concepts, 4–5see also Corporate governance
Interest rate risk, 6, 122Internal Control-Integrated Framework
(COSO 1992), 4Internal controls
components, 19–20, 40–1, 115–16concepts, 4–5, 7, 18–23, 34, 40–1, 55–73,
77–95, 102–7, 108–10, 113–16definition, 18excessive controls, 108–9, 115, 123management accounting, 20–3, 115–16,
119–20, 123risk, 18–23, 34, 40–1, 55–73, 77–95,
102–7, 108–10, 113–16Internal drivers, risk, 7–8, 14–15, 23,
37–73, 80–2, 99–107, 117Internal-environment component, internal
controls, 19–20, 40–1, 55–73, 115–16International Federation of Accountants
(IFAC), 6, 18Interviews, 11, 28–9, 41–73, 75–95, 103–4,
109–10, 120–3
excerpts, 77–95methods, 77structure, 77summary, 94–5, 103–4, 109–10, 120–3survey, 41–73, 75–95, 103–7, 109–10,
120–3see also Survey
Intuition, 16–18, 84–5, 94, 103–7, 114–15,117–23
Italy, scandals, 4
Johnson and Johnson, 91, 95
Joint ventures, 64–5
King Report, 122Knight, Frank, 5, 8Knowledge, decision making, 19–20,
115–16, 119KPMG, 3
Lateral relations, decision making, 9, 22–3,
99–100Lead times, 9Legal risk, 13–14, 122Legislation
risk drivers, 7, 49–51, 78–9, 80–2, 86–7,94, 101–7, 117–22
see also RegulationsLikelihood/impact matrix, 12, 59, 84, 102Likert scale, 42Line managers, risk management, 60–2,
102–4Listing requirements, 4, 113
London Stock Exchange, 42Losses, risk, 7–8, 10–13
McGoun EG, 6McKinsey, 3Management accounting
changing role, 20–3, 60–73, 85–8, 94,99–100, 113–16, 119–23
definition, 20future prospects, 20–3, 113–16, 123information role, 20–3, 99–100, 113–16,
119, 123
risk management, 21–3, 40–1, 60–73,85–8, 102–4, 105–7, 109–10, 113–16,119–23
roles, 20–3, 37, 40–73, 85–8, 94, 105–7,113–16, 119–23
strategy, 20–3, 99–100, 113–16, 120, 123Management Accounting Research (Collier
and Berry), 28Managers, risk role, 13–18, 99–101, 105–7,
113–16, 119–23March, JG, 14–15, 32, 99
Marconi, 4Market valuations, 43, 93, 103, 105, 120Marshall, C, 19Maxwell, Robert, 4, 5Mean, survey, 44–5, 61–5Measures of central tendency and
dispersion, 11Media coverage, corporate governance, 4Mergers and acquisitions, 93Milliman, RA, 16, 99Mission, 13Modelling, 11, 27, 32–4, 59, 86, 94, 100–7,
116, 122
I n d e x
156
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 186/189
I n d e x
157
Monitoring, internal controls, 19–20, 40–1,55–73, 79, 115–16
Monte Carlo simulations, 11–12
Nadir, Asil, 4NASDAQ, 77Natural disasters, 13–14
Non-financial measures, performance, 21,115Not-for-profit sector, 28, 79
Objective judgements, risk, 13–14, 16,83–5, 94, 99–100, 103–7, 117–23
Objective-setting component, internalcontrols, 19–20, 115–16
OneTel, 4Openness see TransparencyOperational risk, concepts, 7, 29–34, 78–9,
86–7, 100–1
Opportunities, 38–73, 101–9, 113–14,117–23
Organisationsdesign strategies, 9, 22–3, 99–100,
104–7, 123survey, 11, 35–73, 77–95, 101–7, 118–23types, 40–73, 104–7, 113uncertainty, 9, 80–2, 118–23
Outsourcing, 14Ownership issues, accounting reports, 21,
87
P case study, 28–34Page, M, 20, 106, 113Parker, LD, 21Pasminco, 4Pension funds, 5, 90
see also Institutional investorsPerceptions
risk, 13–16, 23, 27–34, 40–73, 77–9,99–107, 110, 114–23
risk management, 62–5, 71–2, 77–9,99–107, 110, 114–23
see also Subjective judgementsPerformancemanagement accounting, 20–3, 99–100,
115–16, 123non-financial measures, 21, 115risk management, 66–73, 88–90, 93, 100,
102–7survey, 37–73, 101–7
PEST analysis, 11, 59Planning
management accounting, 20–3, 38–9,115–16, 123
survey, 38–73, 101–7
Political risk, 31–4, 100–1Polly Peck, 4, 5Portfolio theory, 12–13, 122
see also DiversificationPrincipal components analysis, 43–4Prioritising, risk, 55–7Probabilities
concepts, 5–6, 14–15, 27, 32, 59, 122risk definitions, 5–6Probability distributions, 6, 59, 122Process and content, budgets, 27–34,
100–1, 116, 122Processes, risk management, 55–73, 80–95,
101–7Profits, 3, 6, 80–2, 92–3, 113Project management, 14Psychological theories, risk assessment,
16–17, 23
Q case study, 28–34Questionnaires, 11, 59, 77
Rationalities, 17–18, 23, 27, 32, 37–73,99–100, 105–8, 117–23
budgets, 27, 100–1four rationalities, 17–18, 23, 66–73, 100,
105–8, 117–23Real option modelling, 11Regression analysis, 66–71, 73, 100, 102–3Regulations
compliance, 18, 39–40, 50–1, 78–9, 80–3,
86–7, 90–1, 94, 101–7, 109, 118–23risk, 7, 49–51, 78–9, 80–2, 86–7, 101–7,
118–23see also Legislation
Reputation risk, concepts, 7, 14, 29, 93, 122Research
conclusions, 116–23findings, 97–110limitations, 109–10summary, 94–5, 103–4, 109–10, 111–23see also Case studies; Survey
Research and development, 7Residual risk, 81Returns
expected returns, 8, 40, 122–3risk, 6–7, 8, 12, 15–17, 23, 83, 99–100,
113, 118–23Rho see Spearman’s rank order correlation
coefficientRisk
accounting textbooks, 6, 27 budgets, 27–34, 78, 87, 100–1, 115–16,
122
case studies, 27–34, 37–8, 100–1, 115–16
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 187/189
classifications, 7–8concepts, 5–23, 27–34, 99–110, 113–23control risks, 108–9, 115, 123definitions, 5–6, 8–9, 79, 122–3domains, 27, 29–34, 100–1, 115–16external/internal drivers, 7–8, 14–15, 23,
37–73, 80–2, 86–7, 90–4, 99–109,
113–16, 117–23gains, 7–8, 10–13identification, 10–13, 28–9, 40–73,
77–95, 99–107, 123internal controls, 18–23, 34, 40–1,
55–73, 77–95, 102–7, 108–10, 113–16interviews, 11, 28–9, 41–73, 75–95,
103–4, 109–10, 120–3losses, 7–8, 10–13managers, 13–18, 99–101objective judgements, 13–14, 16, 83–5,
94, 99–100, 103–7, 117–23
perceptions, 13–16, 23, 27–34, 40–73,77–9, 99–107, 110, 114–23
prioritising, 55–7returns, 6–7, 8, 12, 15–17, 23, 83,
99–100, 113, 118–23social construction, 14, 15–16, 23,
27–34, 99–100, 107–8, 114–16, 122–3subjective judgements, 13–14, 16, 72,
83–5, 89–90, 94, 99–100, 104–7,114–15, 117–23
survey, 11, 35–73, 77–95, 101–10, 118–23types, 6, 7, 69–73, 81, 122
uncertainty, 5–6, 22–3, 49–50, 99–100,107–10, 118–23
Risk appetite (profile), concepts, 12–13, 41,52–73, 77–9, 80–95, 99–100, 113–16,122–3
Risk assessmentconcepts, 10–14, 16–18, 28–9, 40–73,
83–95, 123internal controls, 19–20, 40–1, 55–73,
115–16, 123methods, 11, 58–60, 83–95, 101–7
psychological theories, 16–17, 23Risk attitudes, 15–16, 52–73, 77–95,99–100, 114–16
concepts, 15–16, 52–73, 77–9, 80–95,99–100, 114–16
survey, 52–73, 77–95, 101–7, 118–23Risk aversion, 15–16, 52–73, 104–7, 123Risk avoidance
concepts, 12–13, 15, 16, 54–5, 114–16risk taking, 16, 114–16
Risk awarenessconcepts, 17–20, 38–73, 100–1, 108,
117–23see also Egalitarians
Risk containment, 12, 33–4Risk control, 12–13Risk evaluation
concepts, 10–14methods, 11, 58–60, 101–7
Risk financing, 12–13, 64–5, 73, 102, 105–7see also Insurance
Risk managementaction decisions, 60–73, 84–95alpha, 70–3
basic methods, 44–5, 58–60, 67–73,83–5, 101–7, 117–23
benefits, 11–12, 40–1, 65–73, 88–90,113–23
beta, 70–3, 103, 105, 120case studies, 28–34, 37–8, 100–1,
115–16competition, 49–51, 80–2, 101–7concepts, 6, 7–9, 10–20, 32, 37–73,
80–95, 99–110, 113–23control risks, 108–9, 115, 123cost-benefit analysis, 11–12, 40–1,
65–73, 88–90cultural issues, 13, 15–16, 39–73, 82–3,
87–8, 90–4, 99–100, 103–4, 106–8,113–16, 118–23
decision making, 57–73, 82–3, 90–4,101–7, 118–23
definitions, 10, 13, 113drivers, 37–73, 80–2, 86–7, 90–4,
99–107, 113–16, 117–23
effectiveness, 18–19, 41–73, 81–2, 83–5,88–9, 103–4, 106–7, 114–16
financial market risk, 69–73, 120focus, 10future prospects, 13, 113–16good/poor contrasts, 93, 113–14heuristic methods, 55, 58–60, 66, 72,
101–2, 104–9, 116–23historical background, 6holistic approaches, 10–12, 34, 57–8,
101–4, 118–23
ideal types, 17–18, 23, 100, 117–23importance, 113–23interviews, 11, 28–9, 41–73, 75–95,
103–4, 109–10, 120–3management accounting, 21–3, 40–1,
60–73, 85–8, 102–4, 105–7, 109–10,113–16, 119–23
measures, 12–14, 81–2, 99–100, 101–9,122–3
methods, 37–73, 77–9, 82–94, 100–10,117–23
modes, 62–5
perceptions, 62–5, 71–2, 77–9, 99–107,110, 114–23
I n d e x
158
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 188/189
I n d e x
159
performance, 66–73, 88–90, 93, 100,102–7
practices, 37–73, 106–7, 117–23processes, 55–73, 80–95, 101–7safety considerations and profits, 92–3,
95, 109software, 11, 59, 83–5
stakeholders, 49–52standard elements, 10–13survey, 11, 35–73, 77–95, 101–10,
118–23technical methods, 44–5, 58–60, 67–73,
83–5, 94, 101–7, 117–23traditional approaches, 77–9, 120–2trends, 57–73, 82–94, 104–7, 117–23volatility, 70–3
The Risk Management Standard (Instituteof Risk Management), 6, 7, 10, 22, 113
Risk managers, 79–80
Risk maps, 11, 81, 84–5Risk neutrality, survey results, 52–73, 104–7Risk profile see Risk appetiteRisk propensity
concepts, 15–16, 52–73, 77–9, 80–95,99–100, 101–7, 113–16
survey results, 52–73, 80–95, 101–7,118–23
Risk reporting, concepts, 10–13, 55–73Risk response see Risk treatmentRisk sceptics
concepts, 18, 38–73, 100–1, 117–23
see also FatalistsRisk sharing, 12–13, 17–18, 33–4, 40–73,
100–1, 105–7see also Insurance
Risk stance, 38–73, 100, 102–10, 117–23Risk taking, 14–18, 52–73, 77–9, 99–100,
114–16managers, 14–18, 99–100risk avoidance, 16, 54–5, 114–16
‘Risk thermostat’, 15, 23, 99–100Risk transfer, 12–13, 33–4, 40–73, 100–1,
105–7Risk treatment (risk response)concepts, 10–14, 19–20, 40–73, 83–95,
99–100, 101–9, 115–16, 122–3internal controls, 19–20, 40–1, 55–73,
83–95, 115–16Risk, Uncertainty and Profit (Knight), 5–6Risk willing, survey results, 52–73, 80–95,
101–7Risk-benefit analysis, 11–12Risk-considered budgets, 27, 32–4, 100–1,
116
Risk-excluded budgets, 27, 29–30, 32–4,100–1, 116
Risk-free investments, 8, 123Risk-modelled budgeting, 27, 32–4, 100–1,
116Rolling forecasts, 21, 78, 116Root cause analysis, 11
S case study, 28–34
Safety considerations, 92–3, 95, 109Sarbanes-Oxley Act 2002, 4–5, 121–2Scandals, 4, 5, 91, 95Scapens, RW, 20–1Scenario analysis, 11, 59Securities and Exchange Commission, 4Self-contained tasks, 9, 22–3, 99–100Sensitivity analysis, 11–13, 27, 82–3September 11th 2001 terrorist attacks, 4Shapira, Z, 14–15, 32, 99Shareholder value, 6, 8, 20, 81–2, 120, 123Shareholders, 3–5, 6, 8, 18–23, 40, 49–52,
62–5, 80–2, 92–3, 101–7, 114–16activism, 5, 50–2, 71–2, 80–2, 117corporate governance, 3–5, 18–23, 80–2,
101–7, 114–16expected returns, 8, 40, 122–3general meetings, 3risk management drivers, 49–52, 80–2,
92–3, 101–7, 114–16, 117, 120–1safety considerations and profits, 92–3,
95, 109see also Institutional investors;
Stakeholders
Short-term profits, 3Skills, 21, 121Slack resources, 9, 22–3, 99–100Small and medium sized enterprises
(SMEs), survey, 42–73, 77–95, 101–7,118–23
Social construction, risk responses, 14,15–16, 23, 27–34, 99–100, 107–8,114–16, 122–3
Soft systems analysis, 11–12Software, risk management, 11, 59, 83–5
Solomon, JF, 37, 106South Africa, 121–2Spearman’s rank order correlation
coefficient (rho), 45–8Spira, LF, 3, 20, 106, 113SPSS, 43Stakeholders, 11, 12–13, 20–1, 39–73,
80–2, 101–7, 120–3risk management drivers, 49–52, 80–2,
101–7, 114–16, 117, 120–3risk reporting, 12–13, 49–51, 80–2risk-identification consultations, 11
survey, 39–73, 101–7see also Shareholders
7/22/2019 Risk and Management Accouting
http://slidepdf.com/reader/full/risk-and-management-accouting 189/189
Standard deviation, survey, 44–5, 61–5Statistical analysis, technical methods, 59,
83–5, 94, 101–7, 117–23Statistical inference, 11Stochastic modelling, technical methods,
59, 86, 94, 101–7, 117–23Strategy, 9, 13, 20–3, 99–100, 113–16, 120,
123enterprise risk management, 13, 113–14management accounting, 20–3, 99–100,
113–16, 120, 123Subjective judgements
risk, 13–14, 16, 72, 83–5, 89–90, 94,99–100, 104–7, 114–15, 117–23
see also PerceptionsSuppliers, risk management drivers, 50–2,
80–2Survey, 11, 35–48, 49–73, 77–95, 101–10,
118–23
analysis, 43–8, 110, 118–23demographics, 49, 52design, 37–41, 110group constructs, 43–8instrument, 41–3
Transparencyconcepts, 4–5, 80–2see also Corporate governance
Treadway Commission see Committee of Sponsoring Organisations
Trends, risk management, 57–73, 82–94,104–7, 117–23
Turnbull Guidance on internal control (Institute of Chartered Accountantsin England and Wales, 1999), 5, 7,18–19, 34, 37, 80–2, 89, 106, 109,113
Tyco, 4Tylenol, 91, 95
UKCombined Code on Corporate
Governance (Financial ReportingCouncil, 2003), 3–5, 7, 18–19, 23, 34,
89–90, 106, 113–15, 121–2corporate governance, 3–5, 7, 18–19, 23,
34, 89–90, 91, 106, 113–15, 121–2scandals, 4, 5
Uncertainty
I n d e x